Uploaded image for project: 'Red Hat build of Keycloak'
  1. Red Hat build of Keycloak
  2. RHBK-3701

Valid scope parameter in access token request is rejected with invalid_scope error [GHI#42877]

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      Before reporting an issue

      [x] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

      Area

      oidc

      Describe the bug

      A valid OIDC/OAuth2 token request is rejected with error code invalid_scope in case the token request contains a valid scope parameter which includes at least 2 scopes which use dynamic scope format.

      It seems this regression was introduced with the commit https://github.com/keycloak/keycloak/commit/8f9d02c3057205129e08872943505829286500d7 related to pull request https://github.com/keycloak/keycloak/pull/39752 and issue https://github.com/keycloak/keycloak/issues/39402.

      The issue is also present if the experimental feature DYNAMIC_SCOPES is disabled. The code introduced in the PR above is not guarded by a feature enabled check.

      Version

      26.3.4

      Regression

      [x] The issue is a regression

      Expected behavior

      A valid OIDC/OAuth2 token request should not be rejected with error.

      Actual behavior

      Keycloak responds with HTTP 400 and error code invalid_scope.

      How to Reproduce?

      1. Keep experimental Keycloak feature DYNAMIC_SCOPES disabled.
      2. Create two scopes where the second scope has the name of the first scope as prefix and having a : separator and any suffix. For example scope1 and scope1:A
      3. Create a client (for example client_1 with client_credentials flow enabled) and configure both previously created scopes as default scopes.
      4. Make a simple token request which explicitly includes both scopes in the token request parameter. For example with a simple curl HTTP request.

      curl -X POST --location "https://<keycloak_host>/realms/<realm>/protocol/openid-connect/token" -H "Content-Type: application/x-www-form-urlencoded" -d 'grant_type=client_credentials&client_id=test_client&client_secret=<client_secret>&scope=scope1 scope1:A'

      The response from Keycloak is
      {{

      {"error":"invalid_scope","error_description":"Invalid scopes: scope1 scope1:A"}

      }}

      If you only request a single scope or do not include any scope parameter at all everything is working as expected because the problematic code only kicks in if there are multiple scopes with a specific format. See https://github.com/keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java#L643 as reference.

              Unassigned Unassigned
              pvlha Pavel Vlha
              Keycloak Core Clients
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: