Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AccessTokens generated from RefreshTokens without scope #12326

Closed
SrMouraSilva opened this issue Jun 3, 2022 · 3 comments · Fixed by #28976
Closed

AccessTokens generated from RefreshTokens without scope #12326

SrMouraSilva opened this issue Jun 3, 2022 · 3 comments · Fixed by #28976
Assignees
@graziang
Labels
area/oidc Indicates an issue on OIDC area kind/bug Categorizes a PR related to a bug priority/important Must be worked on very soon release/25.0.0 team/core-clients

Comments

@SrMouraSilva
Copy link
Contributor

SrMouraSilva commented Jun 3, 2022
edited by mposolda

Describe the bug

In my scenario, I want to make the scope roles Optional for a specific client A.
As consequence, if the client A wants this information, it's necessary inform it in the list of the scopes when you're requesting the access_token.

I notices that when you request a new access_token from refresh_token, the information related to roles scope doesn't appears anymore into access_token.

I notice this only when

Version

15

Expected behavior

roles information appears in the access_token when this information is requested even if it was defined as Optional Token.

Actual behavior

No response

How to Reproduce?

Part 1:

  1. Create a Client;
  2. Go to Client Scopes;
  3. Remove roles from "Assigned Default Client Scopes";
  4. Include roles from into "Assigned Optional Client Scopes".

Part 2:

  1. Request a access_token without informing roles, notice that information related to it will not appears;
  2. Request a new access_token informing roles, notice that information related to it will appears;
  3. Request a new access_token using from refresh_token from the previous request, notice that information related to it will not appears.

Possible solution

I think it might be good that refresh-token always contains all optional scopes (even those with Include in access token is false). This is probably better than using the scope from clientSession as that may not work 100% accurately in case of more browser tabs (that is the limitation of having single authenticatedClientSession per client attached to userSession). See my comment #12860 (comment)
@SrMouraSilva SrMouraSilva added kind/bug Categorizes a PR related to a bug status/triage labels Jun 3, 2022
@stianst stianst added the area/oidc Indicates an issue on OIDC area label Jun 20, 2022
@mposolda
Copy link
Contributor

I am adding this with the label "Help wanted" as Keycloak team probably won't have time to look at this in the near future. Anyone is welcome to investigate this further and eventually send PR for this.

thomasdarimont added a commit to thomasdarimont/keycloak that referenced this issue Jun 30, 2022
@thomasdarimont
Token refresh should consider initially requested scopes.
9d05314 
Client Scopes with `Include In Token Scope` set to `false`
were not applied to AccessTokens generated for token refresh requests.

We now look into the scope stored in the client session to ensure,
that mappers for all initial requested scope are applied on token refresh.

Fixes keycloak#12326
thomasdarimont added a commit to thomasdarimont/keycloak that referenced this issue Jun 30, 2022
@thomasdarimont
Token refresh should consider initially requested scopes (keycloak#12326
9c59792 
)

Client Scopes with `Include In Token Scope` set to `false`
were not applied to AccessTokens generated for token refresh requests.

We now look into the scope stored in the client session to ensure,
that mappers for all initial requested scope are applied on token refresh.

Fixes keycloak#12326

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
@thomasdarimont thomasdarimont mentioned this issue Jun 30, 2022
Closed
@thomasdarimont
Copy link
Contributor

thomasdarimont commented Jun 30, 2022
edited

@mposolda I think I found the problem. See: #12860

Mappers for client scopes with Include In Token Scope set to false, such as the roles scope,
are not applied to AccessTokens generated for token refresh requests.

See:
https://github.com/keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java#L202

The old scope is currently extracted from the Refresh-Token (which does not contain the scope because Include In Token Scope set to false):

String oldTokenScope = oldToken.getScope();

but it should rather be recovered from the actual clientSession:

String oldTokenScope = clientSession.getNote(OAuth2Constants.SCOPE);

@mposolda mposolda added this to the Backlog milestone Apr 18, 2023
@keycloak-github-bot keycloak-github-bot bot added priority/important Must be worked on very soon and removed action/priority-important labels Mar 13, 2024
@stianst stianst removed this from the Backlog milestone Mar 15, 2024
@mposolda
Copy link
Contributor

mposolda commented Apr 4, 2024

@thomasdarimont Not sure if it works to use the scope from clientSession... Added section Possible solution to the description of this issue with more details.

@graziang graziang self-assigned this Apr 22, 2024
graziang added a commit to graziang/keycloak that referenced this issue Apr 22, 2024
@graziang
Ignore include in token scope for refresh token
1f448c9 
Closes keycloak#12326

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
graziang added a commit to graziang/keycloak that referenced this issue Apr 22, 2024
@graziang
Ignore include in token scope for refresh token
c9a527d 
Closes keycloak#12326

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
@graziang graziang mentioned this issue Apr 22, 2024
Merged
mposolda pushed a commit that referenced this issue May 3, 2024
@graziang @mposolda
Ignore include in token scope for refresh token
8c3f7cc 
Closes #12326

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@graziang graziang

Labels
area/oidc Indicates an issue on OIDC area kind/bug Categorizes a PR related to a bug priority/important Must be worked on very soon release/25.0.0 team/core-clients
Projects
None yet
Milestone
No milestone
5 participants
@thomasdarimont @mposolda @stianst @SrMouraSilva @graziang