Skip to content

Commit

Permalink
engine: add scope 'openid' for compatibility with new versions of the…
Browse files Browse the repository at this point in the history
… keycloak

This is linked with this change for V19 and higher: https://www.keycloak.org/docs/latest/upgrading/index.html#userinfo-endpoint-changes

Now for request user-info endpoint we need request token with 'openid' scope (this is required scope by standard)

Signed-off-by: Melnichuk Stas <[email protected]>
  • Loading branch information
0ffer authored and mwperina committed Apr 26, 2024
1 parent 0d006fa commit 68384ac
Showing 1 changed file with 7 additions and 0 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,7 @@

public class ExternalOIDCService {

private static final String OPENID_SCOPE = "openid";
private static Logger log = LoggerFactory.getLogger(ExternalOIDCService.class);

// Reference to the HTTP client used to send the requests to the SSO server:
Expand Down Expand Up @@ -125,6 +126,12 @@ private static SsoSession login(SsoContext ssoContext,
String externalOidcClientSecret = ssoContext.getSsoLocalConfig().getProperty("EXTERNAL_OIDC_CLIENT_SECRET");
String scope = SsoService.getScopeRequestParameter(request, "");

// We should request this scope by RFC (https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest)
// to have possibility for working with other oidc endpoints.
if( ! scope.contains(OPENID_SCOPE)) {
scope = scope + " " + OPENID_SCOPE;
}

HttpPost post = createPost(externalOidcTokenEndPoint);
List<BasicNameValuePair> form = new ArrayList<>();
form.add(new BasicNameValuePair("client_id", externalOidcClientId));
Expand Down

0 comments on commit 68384ac

Please sign in to comment.