Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-3237

OIDC specs requires scope=openid to be used in Authentication request

    XMLWordPrintable

    Details

    • Type: Enhancement
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: 2.0.0.Final
    • Fix Version/s: 2.1.0.CR1
    • Component/s: None
    • Labels:
      None

      Description

      Per OIDC core specs, the "scope" is REQUIRED parameter in AuthorizationEndpoint request. Specs mentions this in 3.1.2.1 :

      scope
          REQUIRED. OpenID Connect requests MUST contain the 'openid' scope value. If the 'openid' 
      scope value is not present, the behavior is entirely unspecified. Other scope 
      values MAY be present. Scope values used that are not understood by an implementation SHOULD 
      be ignored. See Sections 5.4 and 11 for additional scope values defined by 
      this specification. 
      

      So my understanding is (also per some other sections), that OIDC request must always have "scope=openid" , otherwise it's just OAuth2 request.

      Hence what we should likely do is:

      • Add "scope=openid" to be always used in our adapters by default
      • Remove IDToken from the auth-server response if "scope=openid" is not used as then it's not OIDC request.

      For the second scenario, we will likely first need to document and then remove some releases later as there is potential issue with backwards compatibility. Especially scenario like:

      • Someone uses KC auth-server 2.0 but with KC adapter 1.9
      • Older adapter won't send "scope=openid" in the request
      • KC server won't send IDToken (new behaviour)
      • People complain "Hey, I've upgraded my KC server and now I can't see IDToken in my app"

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              mposolda Marek Posolda
              Reporter:
              mposolda Marek Posolda
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: