keycloak: Get UserInfo return 401 Unauthorized

Before reporting an issue

  • I have searched existing issues
  • I have reproduced the issue with the latest release

Area

oidc

Describe the bug

After service account authenticated via client_credential flow, I send a request with its access_token to userinfo_endpoint, but Keycloak server return 401 Unauthorized

Version

20.0

Expected behavior

Keycloak should return 200 OK with user information as the same as normal user

Actual behavior

401 Unauthorized

How to Reproduce?

  1. docker compose up -d
    version: '3'

services:
  keycloak:
    image: quay.io/keycloak/keycloak:20.0
    command: [start-dev]
    environment:
      KEYCLOAK_ADMIN:           admin
      KEYCLOAK_ADMIN_PASSWORD:  SuperSecr3t
    ports:
    - 8080:8080
    volumes:
    - keycloak_data:/opt/keycloak/data

volumes:
  keycloak_data:
    driver: local
  2. Create new realm
  3. Create new OIDC client and enable Service accounts roles image
  4. Authenticate using service account
    curl --location --request POST 'http://localhost:8080/realms/<realm>/protocol/openid-connect/token' \
   --header 'Content-Type: application/x-www-form-urlencoded' \
   --data-urlencode 'grant_type=client_credentials' \
   --data-urlencode 'client_id=<client_id>' \
   --data-urlencode 'client_secret=<client_secret>'
  5. Get userinfo: bash curl --location --request GET 'http://localhost:8080/realms/<realm>/protocol/openid-connect/userinfo' \ --header 'Authorization: Bearer <access_token>'

Anything else?

No response

About this issue

  • Original URL
  • State: closed
  • Created a year ago
  • Comments: 19 (5 by maintainers)

Most upvoted comments

This change was documented in the migration guide https://www.keycloak.org/docs/latest/upgrading/index.html#userinfo-endpoint-changes .

In shortcut, UserInfo is OIDC specific endpoint when service-accounts (client credentials) is OAuth2 thing. So the fact that UserInfo works just for the access tokens using scope=openid is completely fine to me. Also it is fine that service-accounts don’t use this scope=openid by default and hence service-account access tokens don’t work with UserInfo by default.

In fact, it is bit strange that someone even uses UserInfo endpoint (which is supposed to be for “real users”), for “Service accounts” (which are not real users). Using token-introspection endpoint looks like better option for service-accounts.

@pedroigor @rmartinc WDYT guys? Do we just close this or do we want to add some “backward compatibility option” for stick the the previous behaviour? If we provide backward compatibility, do we add it to the OIDC client configuration to other Open ID Connect Compatibility Modes options?

+5
mposolda on Feb 22, 2023

Hi, Added scope=openid in the /token endpoint and getting the access token added with the scope mentioned. But when trying to hit /userinfo with the access token, still getting 401 unAuthorized

Can someone help over here?

+3
sukanyamanian on Jul 20, 2023

I think keycloak should provide a (compatibility?)

If someone still search for compatibility: Create client scope ‘openid’ in realm and add it as default assigned type in your OAuth clients, no need to request it on login.

+3
lunicon on Mar 24, 2023

Adding to Keycloak 22 for now as it is related to backwards compatibility.

+2
mposolda on Feb 22, 2023

I believe this is an intended effect of this change - you need to add a scope called openid to the client.

+2
ngearhart on Feb 4, 2023

Any keycloak 19 version does not contain https://github.com/keycloak/keycloak/pull/14237 and therefore does not have this problem

+1
robske110 on Mar 28, 2023

I think keycloak should provide a (compatibility?)

If someone still search for compatibility: Create client scope ‘openid’ in realm and add it as default assigned type in your OAuth clients, no need to request it on login.

The issue with that is that some OAuth clients don‘t like when the openid scope suddenly appears in the authorized scopes, which is why I‘d still like to see a compact option for keycloak 22. For now I‘m stuck on keycloak 19 because of this issue.

+1
robske110 on Mar 27, 2023

I found if the client side requests the openid scope explicitly in login, even without adding the openid scope to keycloak client, the openid will be included in issued token and the /userinfo will works also.

So it seems that adding openid to the client’ request scope is also a workaround. some library like keycloak-js already did this and some are not, like OAuth in swagger

+1
ykun91 on Mar 25, 2023

meet the same problem after upgrade to 21.0.1

I think we need to add the openid as a default scope to each client when make this change

It may sound stupid if everyone need to manually add the openid client scope and add it to each client to get things work

+1
ykun91 on Mar 25, 2023

You have to create a client scope called openid and request it.

+1
sschu on Mar 13, 2023

Having the same problem. Unable to use /userinfo endpoint. Furthermore, I also tried to add the openid scope to the client. Getting the same error:

image

image

image

+1
radubuciuceanu on Mar 10, 2023

I think keycloak should provide a (compatibility?) option to restore the old (pre-v20) behaviour. (Allow user info to be queried without explicitly requesting the openid scope in OAuth flows) See also #16168 and #16610

+1
robske110 on Feb 18, 2023
Read more comments on GitHub
← keycloak: Failed to start docker image 21.0.1
keycloak: Health Check failure when KC_HTTP_RELATIVE_PATH set on 20.0.0 →