-
Notifications
You must be signed in to change notification settings - Fork 6.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Token-Exchange no longer supporting scope parameter in Keycloak versions 24+ #30704
Comments
Hi @spbatgit! Probably this is related to this issue #21578 (it was included for 24.0.0 so it makes sense). But this is only affecting to client to client exchanges (internal exchanges). I have done a test with external to internal and I can request a scope that is optional in the target client. Are you sure that the error is in an external to internal request? Is it not an internal (client to client) exchange? Doing this curl to perform the external to internal token exchange:
So |
Looks like a duplicate of #29614 |
Yes, if it's client to client is the same. I have tested external to internal and there the scope is OK. So @spbatgit if you confirm that the issue is cluient to client we can close this one as duplicate. |
My request is across two Keycloak servers and two separate realms, thus, I
believe the scenario utilized is the External to Internal.
My test case is using two trust domains, Acme1 and Acme2. Acme1 has a
Keycloak server and realm BT1Dev. Acme2 has a Keycloak server and realm
BT2Dev. My scenario is obtaining a token for Acme1 using
grant_type=password. The Acme1 token is then used as the subject_token in
a request to Acme2 Keycloak for an Acme2 token. Inorder for the Acme2
token to be used within the Acme2 trust domain, we need to request the
claims for the Acme2 domain via the scope parameter.
As I mentioned, the scope parameter is working as expected with version
23.0.7; however, when I use a new version of Keycloak, the scope parameter
stops working. If you would like, I am willing to do a Zoom call to
demonstrate or allow further investigation.
…On Tue, Jun 25, 2024 at 9:05 AM Ricardo Martin ***@***.***> wrote:
Yes, if it's client to client is the same. I have tested external to
internal and there the scope is OK. So @spbatgit
<https://github.com/spbatgit> if you confirm that the issue is cluient to
client we can close this one as duplicate.
—
Reply to this email directly, view it on GitHub
<#30704 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AHP6XX7NWLGIKTETS7DRVDTZJFTIVAVCNFSM6AAAAABJ2CVW6CVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCOBYHA4TCOJSGY>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
No problem @spbatgit, in my tests the issue only happens when doing client to client exchange. If I use an identity provider I can add scopes as before. But as @mposolda says this is a duplicate of #29614, I have been checking and there is no more changes in the Duplicate of #29614. |
Before reporting an issue
Area
token-exchange
Describe the bug
When using grant_type: urn:ietf:params:oauth:grant-type:token-exchange, the scope parameter is no longer working after Keycloak version 23.0.7. I have observed this issue in all Keycloak versions above 23.0.7. This issue is observed using both Internal->Internal and External->Internal use cases.
Attached is a screen shot of a request utilizing requested scope value.
![Keycloak Token-Exchange Request](https://private-user-images.githubusercontent.com/31452127/342399584-093368c9-ec99-4e0d-b17b-a0b0ab4b4df3.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjMyNDA4MzIsIm5iZiI6MTcyMzI0MDUzMiwicGF0aCI6Ii8zMTQ1MjEyNy8zNDIzOTk1ODQtMDkzMzY4YzktZWM5OS00ZTBkLWIxN2ItYTBiMGFiNGI0ZGYzLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA4MDklMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwODA5VDIxNTUzMlomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTExOWI5ZDYyMTg2NDlhYmMxNWMyYjI0M2Y2NWE3YmViNzc3MjAzMDhkYWNjZmZhNjZjMzk3OWVjYjQxOWIxZGMmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.QUgAC91zoApY67fDNBOAmwKZ9mO65IO-bAniuh7IcJY)
Version
Keycloak versions 24+ and 25+
Regression
Expected behavior
when providing parameter scope=bt2.write in token exchange request, token returned should include bt2.write in scope claim
Actual behavior
scope parameter is being ignored and requested scopes and are not included in the token returned from the token-exchange.
How to Reproduce?
use any version of Keycloak above 23.0.7 and utilize External->Internal token-exchange with scope parameter in request.
Anything else?
I understand that token-exchange is a preview feature; however, I see that Keycloak is committing to fully supporting the token-exchange RFC including scope parameter: https://docs.google.com/document/d/1plbyw5C1W8q6sYolETfoGqHKIrFWjzYio22o9i6yDOk/edit?pli=1#heading=h.vypot9d955te
The text was updated successfully, but these errors were encountered: