Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add mention of basic scope handling to migration guide #1073

Open
thomasdarimont opened this issue Jun 25, 2024 · 2 comments
Open

Add mention of basic scope handling to migration guide #1073

thomasdarimont opened this issue Jun 25, 2024 · 2 comments
Labels
enhancement

Comments

@thomasdarimont
Copy link
Contributor

thomasdarimont commented Jun 25, 2024
edited
Loading

Problem Statement

With the introduction of the dedicated "basic" scope in Keycloak, existing realm configurations with custom clients might now produce access tokens that don't contain the sub claim anymore. This is because the new basic scope that emits those claims might be removed by an explicit defaultClientScopes configuration.

The Keycloak 25 migration documentation documents that the basic scope is automatically added to existing clients during realm migration, however some client configurations with a defaultClientScopes configuration might lack the basic scope configuration. In that case keycloak-config-cli will remove the basic scope again.

Proposed Solution

Add a short note to the migration guide about the need to add the basic scope explicitly when a client configuration uses defaultClientScopes.

A workaround is to configure the basic scope explicitly via defaultClientScopes

    defaultClientScopes:
      - "basic"

Environment

  • Keycloak Version: 25.0.1
  • keycloak-config-cli Version: 6.0.3-SNAPSHOT (cf28b9d)
  • Java Version: 21

Additional information

I think this is actually a regression in Keycloak, but some folks might blame keycloak-config-cli here.

Example of a previously working client definition, which will produce access tokens with the sub claim:

  - clientId: app-greetme
    protocol: openid-connect
    name: Acme Greet Me
    description: "App Greet Me Description"
    enabled: true
    publicClient: true
    standardFlowEnabled: true
    directAccessGrantsEnabled: false
    # Show client in account-console
    alwaysDisplayInConsole: true
    serviceAccountsEnabled: false
    #    attributes: { }
    fullScopeAllowed: false
    rootUrl: "$(env:APPS_FRONTEND_URL_GREETME:https://localhost:9443/apps/greet-me)"
    baseUrl: "/?realm=acme-internal&scope=openid"
    adminUrl: ""
    redirectUris:
      - "/*"
    webOrigins:
      - "+"
    defaultClientScopes:
      - "email"
    optionalClientScopes:
      - "phone"
      - "name"
      - "acme.api"
      - "address"
    attributes:
      "pkce.code.challenge.method": "S256"
      "post.logout.redirect.uris": "+"

Working client configuration:

  - clientId: app-greetme
    protocol: openid-connect
    name: Acme Greet Me
    description: "App Greet Me Description"
    enabled: true
    publicClient: true
    standardFlowEnabled: true
    directAccessGrantsEnabled: false
    # Show client in account-console
    alwaysDisplayInConsole: true
    serviceAccountsEnabled: false
    #    attributes: { }
    fullScopeAllowed: false
    rootUrl: "$(env:APPS_FRONTEND_URL_GREETME:https://localhost:9443/apps/greet-me)"
    baseUrl: "/?realm=acme-internal&scope=openid"
    adminUrl: ""
    redirectUris:
      - "/*"
    webOrigins:
      - "+"
    defaultClientScopes:
      - "default"
      - "email"
    optionalClientScopes:
      - "phone"
      - "name"
      - "acme.api"
      - "address"
    attributes:
      "pkce.code.challenge.method": "S256"
      "post.logout.redirect.uris": "+"

Acceptance Criteria

No response
@thomasdarimont
Copy link
Contributor Author

CC @francis-pouatcha @jonasvoelcker

thomasdarimont added a commit to thomasdarimont/keycloak-project-example that referenced this issue Jun 26, 2024
@thomasdarimont
Ensure oidc clients with defaultClientScopes declare 'basic' scope
b0e049c 
See: adorsys/keycloak-config-cli#1073
thomasdarimont added a commit to thomasdarimont/keycloak-project-example that referenced this issue Jun 26, 2024
@thomasdarimont
Ensure oidc clients with defaultClientScopes declare 'basic' scope
fc2863e 
See: adorsys/keycloak-config-cli#1073
@jonasvoelcker
Copy link
Collaborator

Hi @thomasdarimont,

I guess it is also necessary to define the basic-scope:

    "clientScopes": [
        {
            "name": "basic",
            "description": "OpenID Connect scope for add all basic claims to the token",
            "protocol": "openid-connect",
            "attributes": {
                "include.in.token.scope": "false",
                "display.on.consent.screen": "false"
            },
            "protocolMappers": [
                {
                    "name": "sub",
                    "protocol": "openid-connect",
                    "protocolMapper": "oidc-sub-mapper",
                    "consentRequired": false,
                    "config": {
                        "access.token.claim": "true",
                        "introspection.token.claim": "true"
                    }
                },
                {
                    "name": "auth_time",
                    "protocol": "openid-connect",
                    "protocolMapper": "oidc-usersessionmodel-note-mapper",
                    "consentRequired": false,
                    "config": {
                        "user.session.note": "AUTH_TIME",
                        "id.token.claim": "true",
                        "introspection.token.claim": "true",
                        "access.token.claim": "true",
                        "claim.name": "auth_time",
                        "jsonType.label": "long"
                    }
                }
            ]
        },
        ...
    ]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@thomasdarimont @jonasvoelcker