New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AccessTokens generated from RefreshTokens without scope #12326
Comments
I am adding this with the label "Help wanted" as Keycloak team probably won't have time to look at this in the near future. Anyone is welcome to investigate this further and eventually send PR for this. |
Client Scopes with `Include In Token Scope` set to `false` were not applied to AccessTokens generated for token refresh requests. We now look into the scope stored in the client session to ensure, that mappers for all initial requested scope are applied on token refresh. Fixes keycloak#12326
) Client Scopes with `Include In Token Scope` set to `false` were not applied to AccessTokens generated for token refresh requests. We now look into the scope stored in the client session to ensure, that mappers for all initial requested scope are applied on token refresh. Fixes keycloak#12326 Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
@mposolda I think I found the problem. See: #12860 Mappers for client scopes with The old scope is currently extracted from the Refresh-Token (which does not contain the scope because
but it should rather be recovered from the actual clientSession:
|
@thomasdarimont Not sure if it works to use the scope from clientSession... Added section |
Closes keycloak#12326 Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
Closes keycloak#12326 Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
Closes #12326 Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
Describe the bug
In my scenario, I want to make the scope
roles
Optional for a specific client A.As consequence, if the client A wants this information, it's necessary inform it in the list of the scopes when you're requesting the
access_token
.I notices that when you request a new
access_token
fromrefresh_token
, the information related toroles
scope doesn't appears anymore intoaccess_token
.I notice this only when
Version
15
Expected behavior
roles
information appears in theaccess_token
when this information is requested even if it was defined as Optional Token.Actual behavior
No response
How to Reproduce?
Part 1:
Client Scopes
;roles
from "Assigned Default Client Scopes";roles
from into "Assigned Optional Client Scopes".Part 2:
access_token
without informingroles
, notice that information related to it will not appears;access_token
informingroles
, notice that information related to it will appears;access_token
using fromrefresh_token
from the previous request, notice that information related to it will not appears.Possible solution
I think it might be good that refresh-token always contains all optional scopes (even those with
Include in access token
is false). This is probably better than using the scope from clientSession as that may not work 100% accurately in case of more browser tabs (that is the limitation of having single authenticatedClientSession per client attached to userSession). See my comment #12860 (comment)The text was updated successfully, but these errors were encountered: