keycloak: openid scope is required for userinfo endpoint but does not exist by default

Before reporting an issue

  • I have searched existing issues
  • I have reproduced the issue with the latest release

Area

token-exchange

Describe the bug

I’m discovering Keycloak. I created a first client app to test and got an access token. Now I’d like to test userinfo endpoint with this token but I get a 403 error because of missing openid scope in my token. I discovered it’s a recent behavior change since this pull https://github.com/keycloak/keycloak/pull/14237 I have exactly the specified problem. This is my /token response {...., 'scope': 'profile email'} Indeed the openid scope is missing. But this scope doesn’t seem to exist by default and must be created manually in the Keycloak admin console and added to the existing client. I think this scope should exist by default or the documentation should specify to create it before.

image

Version

20.0.2 (Docker)

Expected behavior

The openid client scope exists by default and linked to any openid client created to get /userinfo working

Actual behavior

The openid client scope does not exist and must be created and linked to a client to be able to use /userinfo endpoint

How to Reproduce?

  • Fresh Keycloak 20 installed
  • create new client
  • check client scopes

Anything else?

No response

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 18 (7 by maintainers)

Most upvoted comments

@woprandi try to specify the scope in the initial login redirect, not during the code exchange

+2
bastianccm on Jan 3, 2023
Read more comments on GitHub
← keycloak: open-id endpoint doesn't return port from behind proxy when running behind proxy
keycloak: operator doesn't watch other namespaces →