[keycloak-user] OAuth scopes in Keycloak

Marek Posolda mposolda at redhat.com
Wed Aug 24 06:02:45 EDT 2016


On 24/08/16 10:58, Adrian Gonzalez wrote:
> Thanks Marek for the anwser !
>
> I created https://issues.jboss.org/browse/KEYCLOAK-3467 and linked it 
> to 349.
> Do you know if you'll map OAuth scopes with keycloak roles when you'll 
> implement those features ?
We plan something more flexible. So for example, you will be able to 
configure that value "foo" of scope parameter means that you want roles 
"role1" + "role2" and protocolMappers "firstName" + "lastName" .

Right now, we already have some limited support for scope parameter, 
where the value of scope parameter is mapped to exactly one role and it 
must match the role name (for realm roles. For client roles it's like 
"clientName/roleName" ).

With your example below, if you will add realm role "hello.say" and 
configure it with "scope parameter required" to true, then this role 
will be used in token just if you use the scope parameter "hello.say" as 
you did. That should work already.

Marek
>
> Thanks once more !
> Adrian
>
> ------------------------------------------------------------------------
> *De :* Marek Posolda <mposolda at redhat.com>
> *À :* Adrian Gonzalez <adr_gonzalez at yahoo.fr>; 
> "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
> *Envoyé le :* Mercredi 24 août 2016 10h38
> *Objet :* Re: [keycloak-user] OAuth scopes in Keycloak
>
> Hi,
>
> we don't add "scope" to responses right now. Can you please create 
> JIRA and link it with another JIRA 
> https://issues.jboss.org/browse/KEYCLOAK-349 ?
>
> Thanks,
> Marek
>
> On 23/08/16 18:44, Adrian Gonzalez wrote:
>> Hello,
>>
>> I'm using Keycloak for the first time, so sorry if this is a newbie 
>> question.
>>
>> When I use keycloak, oauth scope attribute is never present in 
>> keycloak tokenEndpoint responses and in introspect responses.
>>
>> From the specs, it scope attribute should be present when calling 
>> token and tokenIntrospect endpoint, but it's never returned by 
>> keycloak endpoints :
>>  * token endpoint response - see [2] for a sample
>>    from https://tools.ietf.org/html/rfc6749#section-5.1
>> <quote>scope OPTIONAL, if identical to the scope requested by the 
>> client; otherwise, REQUIRED</quote>
>>  * token introspection see [3] for a sample
>>    from https://tools.ietf.org/html/rfc7662#section-2.2
>>    <quote>scope OPTIONAL.  A JSON string containing a space-separated 
>> list of
>> scopes associated with this token, in the format described in
>>       Section 3.3 of OAuth 2.0 [RFC6749].</quote>
>> Oups... optional in the spec ??? what's the introspection use then ???
>>
>> I know I can key roles from keycloak JWT AT (in realm_access.roles 
>> for instance), but it's not in OAuth specs and I would like to stick 
>> with the standard.
>>
>> Am I doing something wrong ?
>>
>> I'm using Keycloak with a Spring Boot application (using Spring OAuth 
>> library - I know there's a Spring keycloak adapter, but since my 
>> application uses others OIDC / OAuth provider I would like to stick 
>> with Spring OAuth), and since no scope attribute is present in the 
>> responses, I've receive no scope in my application.
>>
>> I've tested with a sample role hello.say.
>> I created a realm role of the same name, and assigned it to me test user.
>> I've made sure my application request this scope during authorization 
>> request.
>>
>> Here's my spring configuration (requesting a hello.say scope), more 
>> exactly :
>> spring: profiles: keycloak
>> security: oidc: client: expectedIssuer: 
>> http://localhost:8180/auth/realms/demo
>>        keyUri: 
>> http://localhost:8180/auth/realms/demo/protocol/openid-connect/certs
>>    oauth2: client: clientId: sample-resource-server
>>        clientSecret: 55175ff5-23d4-487c-a572-67d9715ea765
>>        scope: openid refreshToken hello.say
>>        access-token-uri: 
>> http://localhost:8181/auth/realms/demo/protocol/openid-connect/token
>>        user-authorization-uri: 
>> http://localhost:8181/auth/realms/demo/protocol/openid-connect/auth
>>      resource: serviceId: ${PREFIX:}resource
>>        tokenInfoUri: 
>> http://localhost:8181/auth/realms/demo/protocol/openid-connect/token/introspect
>>
>> Really sorry for the long mail
>>
>> Thanks for the help !
>> Adrian
>>
>> [1] Sample token request
>> grant_type=authorization_code&code=Av9RoU-sonFW989gBicCwmXSNDLKX5bIGxUKjT4NTH8.dd753cf2-e1df-47ff-84e0-7cbb74a8f928&redirect_uri=http%3A%2F%2Flocalhost%3A9999%2Flogin
>>
>> [2] Sample token response (no scope attribute - whether my user has 
>> or no the hello.say role) :
>> {"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJHa0NNdFI2THRXb09XWlhHbmJfbk0ybHFxaGtEc20ycFZrOEc5bW83c2pZIn0.eyJqdGkiOiI3YmIzYzc0OS1jMzJhLTRkODgtOTY4OC03OGU4YmNkMGZmNDUiLCJleHAiOjE0NzE5Njk0MDQsIm5iZiI6MCwiaWF0IjoxNDcxOTY5MTA0LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgxODAvYXV0aC9yZWFsbXMvZGVtbyIsImF1ZCI6InNhbXBsZS1hcHBsaWNhdGlvbi1jbGllbnQiLCJzdWIiOiIzNjhkODk0OC04NmRiLTQzN2EtODY2OS0xOWFiOGIwN2E4MTYiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJzYW1wbGUtYXBwbGljYXRpb24tY2xpZW50IiwiYXV0aF90aW1lIjoxNDcxOTY5MTA0LCJzZXNzaW9uX3N0YXRlIjoiN2U2ZTlhNzYtYmVjNC00ZGVkLThiNDktZjcyODA5ZTAzZDY3IiwiYWNyIjoiMSIsImNsaWVudF9zZXNzaW9uIjoiZGQ3NTNjZjItZTFkZi00N2ZmLTg0ZTAtN2NiYjc0YThmOTI4IiwiYWxsb3dlZC1vcmlnaW5zIjpbImh0dHA6Ly9sb2NhbGhvc3Q6OTk5OSJdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsidW1hX2F1dGhvcml6YXRpb24iLCJoZWxsby5zYXkiXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50Iiwidmlldy1wcm9maWxlIl19fSwibmFtZSI6InRlc3! 
>> QgdGVzdCIs 
>> InByZWZlcnJlZF91c2VybmFtZSI6InRlc3QiLCJnaXZlbl9uYW1lIjoidGVzdCIsImZhbWlseV9uYW1lIjoidGVzdCIsImVtYWlsIjoiYWRyX2dvbnphbGV6QHlhaG9vLmZyIn0.MVBAjfOnJkXHij0Dm8ERFpTwNqximL8OPZEziAhGPTHgj-yJvVtf7WF-9FdbJV_e9_Lx-2ZOOA_xvWlgFtc7qkAojfNiAjb_I40L8-JkqeHid2Wv6MtmzRusGO8aKmO1HJIoy8o5bFVSP57-cSZcgDAfkoUTG-qfx5QDSM2qyTNQ-KfagmfjTm1CAo12F_SY6p3-B1xKEOeD-1PpLc0HhrUuz1qst4gfyIbXbQTWEelDO6UB9Z-w24cVfhs9by2mu8BOdaRtUydzIGq3TPElMyxnElbTvf4Z6XZ8nhNMONEN93yxCfwfQbb__k4-9FiXNnnzDgz_WBXNAlTNfPSdSA","expires_in":300,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJHa0NNdFI2THRXb09XWlhHbmJfbk0ybHFxaGtEc20ycFZrOEc5bW83c2pZIn0.eyJqdGkiOiI3OWE3OGM4NS01YTBhLTQxODUtODE3Yy1kM2QwNWFmYzExMWEiLCJleHAiOjE0NzE5NzA5MDQsIm5iZiI6MCwiaWF0IjoxNDcxOTY5MTA0LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgxODAvYXV0aC9yZWFsbXMvZGVtbyIsImF1ZCI6InNhbXBsZS1hcHBsaWNhdGlvbi1jbGllbnQiLCJzdWIiOiIzNjhkODk0OC04NmRiLTQzN2EtODY2OS0xOWFiOGIwN2E4MTYiLCJ0eXAiOiJSZWZyZXNoIiwiYXpwIjoic2FtcGxlLWFwcGxpY2F0a! 
>> W9uLWNsaWV 
>> udCIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6IjdlNmU5YTc2LWJlYzQtNGRlZC04YjQ5LWY3MjgwOWUwM2Q2NyIsImNsaWVudF9zZXNzaW9uIjoiZGQ3NTNjZjItZTFkZi00N2ZmLTg0ZTAtN2NiYjc0YThmOTI4IiwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbInVtYV9hdXRob3JpemF0aW9uIiwiaGVsbG8uc2F5Il19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsInZpZXctcHJvZmlsZSJdfX19.C-HM0bARqyZABW3lR6UiTWKzA5JVq74R1apUu_LvGWHbFGR9TE7EbyqKD4iwHFZSiBj_xP46g3HPQY6cYA3NXmgDYTRI4mqxLOfIqLhAgMBBM5-AYR3UqQyI9MAsqc_BA8fjwUCPv-gpvUnANliSnoYPiaa-dUeFV18TsR_sUShudoDv27RYpjoVjAXCjbAn2gg7_AI0lFtZ3RoxSdmOQXG_HBbYo7gV-31y-jBbR5kLlfMYYGYIr6_ZVvLAFlADgcXug7MTD8ZTf5S76Wb-eDbHyc6Pb7vAgRPtLKRaElyIcGXILmVNo2A8e8557QWgpJRbfqAu8ZWYKGKkz-yUBQ","token_type":"bearer","id_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJHa0NNdFI2THRXb09XWlhHbmJfbk0ybHFxaGtEc20ycFZrOEc5bW83c2pZIn0.eyJqdGkiOiI4NDg4Y2ZjYy1jOTllLTQyN2ItYmJiZS1hM2FhYmZkM2ZmZjAiLCJleHAiOjE0NzE5Njk0MDQsIm5iZiI6MCwiaWF0IjoxNDcxOTY5MTA0LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0O! 
>> jgxODAvYXV 
>> 0aC9yZWFsbXMvZGVtbyIsImF1ZCI6InNhbXBsZS1hcHBsaWNhdGlvbi1jbGllbnQiLCJzdWIiOiIzNjhkODk0OC04NmRiLTQzN2EtODY2OS0xOWFiOGIwN2E4MTYiLCJ0eXAiOiJJRCIsImF6cCI6InNhbXBsZS1hcHBsaWNhdGlvbi1jbGllbnQiLCJhdXRoX3RpbWUiOjE0NzE5NjkxMDQsInNlc3Npb25fc3RhdGUiOiI3ZTZlOWE3Ni1iZWM0LTRkZWQtOGI0OS1mNzI4MDllMDNkNjciLCJhY3IiOiIxIiwibmFtZSI6InRlc3QgdGVzdCIsInByZWZlcnJlZF91c2VybmFtZSI6InRlc3QiLCJnaXZlbl9uYW1lIjoidGVzdCIsImZhbWlseV9uYW1lIjoidGVzdCIsImVtYWlsIjoiYWRyX2dvbnphbGV6QHlhaG9vLmZyIn0.NiNe0c7ED_K9ILBodi_Qrs9zmxnM_A1oOXLqap4yzhflw5APIxV_KM_dxZrH_dhAGyPpQsofK62GryVuEz-UShqjnT7nhNPxXJ1p9pyD-r9wSqh9e6unFKfeL7vYP4lLe-bz7xzrfe_PEgpZfhMACirwBo5HAIYJNdi8QujBAAwEwEbQUJGwiOTIDDFpo2Cm1UtgobYHgdpliaFRZ-xFudxIDPGWeHhIBGStNdexaPk5kgbVuISKqqreCTnRIqws9MCbg0YNAcPzQEMITifYzobdmHQtIcaDUKcM5Hjuyc9rjfaRp4wzyM9hN_xn2JAz2-cbg6IizxblQ_IQPDU9_Q","not-before-policy":0,"session_state":"7e6e9a76-bec4-4ded-8b49-f72809e03d67"}
>>
>>
>>
>> [3] Sample token introspection response - there's no scope here :
>> {
>> "jti":"7bb3c749-c32a-4d88-9688-78e8bcd0ff45",
>> "exp":1471969404,
>> "nbf":0,
>> "iat":1471969104,
>> "iss":"http://localhost:8180/auth/realms/demo" 
>> <http://localhost:8180/auth/realms/demo>,
>> "aud":"sample-application-client",
>> "sub":"368d8948-86db-437a-8669-19ab8b07a816",
>> "typ":"Bearer",
>> "azp":"sample-application-client",
>> "auth_time":1471969104,
>> "session_state":"7e6e9a76-bec4-4ded-8b49-f72809e03d67",
>> "name":"test test",
>> "given_name":"test",
>> "family_name":"test",
>> "preferred_username":"test",
>> "email":"adr_gonzalez at yahoo.fr" <mailto:adr_gonzalez at yahoo.fr>,
>> "acr":"1",
>> "client_session":"dd753cf2-e1df-47ff-84e0-7cbb74a8f928",
>> "allowed-origins":[
>> "http://localhost:9999" <http://localhost:9999/>
>> ],
>> "realm_access":{
>> "roles":[
>> "uma_authorization",
>> "hello.say"
>> ]
>> },
>> "resource_access":{
>> "account":{
>> "roles":[
>> "manage-account",
>> "view-profile"
>> ]
>> }
>> },
>> "client_id":"sample-application-client",
>> "username":"test",
>> "active":true
>>
>> }
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160824/bb1e3c8c/attachment-0001.html 


More information about the keycloak-user mailing list