Details
Description
When signing in to the developer portal, the `< > Authenticate with Red Hat Single Sign-On` button links to the following URL:
- https://<MY_KEYCLOAK_URL>/auth/realms/<MY_REALM>/protocol/openid-connect/auth?client_id=<MY_CLIENT>&redirect_uri=<MY_REDIRECT_URI>&response_type=code&scope
In the Developer Portal, I have the following Liquid Tag
{% for authorization in current_user.sso_authorizations %}<p>{{ authorization.id_token }}</p>
{% endfor %}After logging in through that URL, the id_token attribute of the authorization Object is empty.
If I manually edit the URL this way before submitting the request:
- https://<MY_KEYCLOAK_URL>/auth/realms/<MY_REALM>/protocol/openid-connect/auth?client_id=<MY_CLIENT>&redirect_uri=<MY_REDIRECT_URI>&response_type=code&scope=openid
(I added a value to the scope query parameter)
The id_token appears correctly. I believe the scope query parameter is missing the openid value in the URL.
Dev note
mcassola: "If the authorization by the SSO server still succeeds without the scope in the URL, I guess then that we are not considering the (default) scope requested in the flow while afterwards creating the SSO authorization record of the user. Maybe missing that parameter in the callback makes us to create a shallow SSO authorization record? On the other hand, if the SSO server rejects to proceed with the authorization flow, then it's about fixing the initial URL."
The specification of openID Connect requires the scope openid
OpenID Connect defines the following scope values: openid REQUIRED. Informs the Authorization Server that the Client is making an OpenID Connect request. If the openid scope value is not present, the behavior is entirely unspecified.