Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-14412

keycloak.js ignores custom scope when onLoad: 'login-required' is used

    Details

    • Type: Bug
    • Status: Open (View Workflow)
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 10.0.2
    • Fix Version/s: None
    • Component/s: Adapter - JavaScript
    • Labels:
      None

      Description

      It seems that the custom scope value provided in the Keycloak config is ignored when onLoad: 'login-required' is used.

      The documentation for the JS Adapter says in section: Passing a custom scope value
      https://www.keycloak.org/docs/latest/securing_apps/#_javascript_adapter

         By default, the scope value openid is passed as a query parameter to Keycloak’s login URL, but you can add an additional custom value:
          ​var keycloak = new Keycloak({ scope: 'offline_access' })
      

      If I try to pass custom scopes via the scope parameter of the Keycloak config object, I can see that they are ignored and not passed on to the Keycloak login url.

      onLoad: 'login-required' handler:
      https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/main/resources/keycloak.js#L298

      The options parameter in the doLogin(..) function, which are passed to keycloak.login(options) are empty or null.
      https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/main/resources/keycloak.js#L248

      keycloak.login function:
      https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/main/resources/keycloak.js#L368

      I think the keycloak.doLogin(..) functions needs to apply the scope from the Keycloak config object to the options object if no explicit scope is present on the options object.

      As a workaround, I monkey-patched the login function by passing the proper scope values.
      See example below:

      
      let keycloakUrl = "http://id.local/auth"
      
      var script = document.createElement('script');
      script.type = 'text/javascript';
      script.src = keycloakUrl+"/js/keycloak.js";
      
      document.getElementsByTagName('head')[0].appendChild(script);
      
      window.onload = function () {
        window.keycloak = new Keycloak({
          url: keycloakUrl,
          realm: 'acme',
          clientId: 'demo'
          // this is not used during login!!!
          scope: "openid acme.profile.email.read acme.profile.name.read"
        });
      
        // HACK Monkey Patch
        window.keycloak._login = window.keycloak.login;
        window.keycloak.login = function(options) {
          if (options) {
            options.scope="openid acme.profile.email.read acme.profile.name.read";
          }
          return window.keycloak._login.apply(window.keycloak, [options]);
        };
      
        keycloak.init({onLoad: 'login-required', checkLoginIframe: true, checkLoginIframeInterval: 1, pkceMethod: 'S256'})
          .success(function () {
      
            if (keycloak.authenticated) {
              showProfile();
            } else {
              welcome();
            }
      
            document.body.style.display = 'block';
          });
      
        keycloak.onAuthLogout = welcome;
      };
      

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                mitko Michal Hajas
                Reporter:
                tdarimont Thomas Darimont
                Involved:
                Erik Jan de Wit
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated: