Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalid Scope #25

Closed
leo-ural opened this issue May 8, 2020 · 7 comments
Closed

Invalid Scope #25

leo-ural opened this issue May 8, 2020 · 7 comments

Comments

@leo-ural
Copy link

leo-ural commented May 8, 2020

We used this library to authenticate users via Keycloak but recently the auth flow has faulted. The reason of an error is incorrect scope parameter sent to Keycloak within auth (from Keycloak's log):

16:13:10,768 ERROR [org.keycloak.services] (default task-54) KC-SERVICES0093: Invalid parameter value for: scope

If we take a look at Request URL we found comma between two scopes sent to Keycloak:

http://some-host/auth/realms/lukoil/protocol/openid-connect/auth?state=6295e030c7925245329dc6a2e49f1ff3&scope=name%2Cemail&response_type=code&approval_prompt=auto&redirect_uri=http://some-host&client_id=client

From a Server Administration Guide (https://www.keycloak.org/docs/latest/server_admin/):

The scope parameter contains the string, with the scope values divided by space (which is also the reason why a client scope name cannot contain a space character in it).

If we change source code of a function getDefaultScopes() (https://github.com/stevenmaguire/oauth2-keycloak/blob/master/src/Provider/Keycloak.php#L177) from:

return ['name', 'email'];

to:

return ['profile email'];

then auth flow will be fixed.

Notice the scope 'name' does not exist by default (https://www.keycloak.org/docs/latest/server_admin/#_client_scopes) so we replaced it to 'profile'.

Please check the auth flow with the latest Keycloak release and fix the issue if persists.
@KevinMartinsDev
Copy link

Hello, I confirm the problem occurs with the update of Keycloak 10.0.1

@graste
Copy link

graste commented May 30, 2020

I think #23 "Change default scope separator to space" is the relevant pull request that fixes this?

@KevinMartinsDev
Copy link

@stevenmaguire ?

@Eugentis
Copy link

Eugentis commented Sep 4, 2020
edited
Loading

You can try to change method \Stevenmaguire\OAuth2\Client\Provider\Keycloak::getDefaultScopes

In this lib it returns ['name', 'email']
Usually Keycloak uses at least email scope. Your realm may not use name scope

@daviddelannoy
Copy link

Hi,

Any plan to fix this in a coming release ? I confirm that we reproduce the problem with KC 10.0.1 and
oauth2-keycloak 2.1.0

Fix proposed by @leo-ural works fine

Adding a name scope is to our KC realm is definitely not an option

thanks

@mstefan21
Copy link
Collaborator

Released new version with fixed scope separator to space 2.2.0

@schu
Copy link

schu commented Oct 21, 2020

@mstefan21 please note that this was about two issues: a wrong separator and a wrong default scope (name should be profile). 789d11b fixed the first issue.

New issue regarding the other problem: #30

@ksami007 ksami007 mentioned this issue Jun 26, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@graste @schu @KevinMartinsDev @daviddelannoy @Eugentis @mstefan21 @leo-ural