Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

requestClientCredentialsToken invalid scope in Keycloak #392

Open
DominicDetta opened this issue Oct 10, 2023 · 2 comments
Open

requestClientCredentialsToken invalid scope in Keycloak #392

DominicDetta opened this issue Oct 10, 2023 · 2 comments

Comments

@DominicDetta
Copy link

DominicDetta commented Oct 10, 2023
edited

Hi, in a client credentials flow the scope parameter is optional and the current implementation send the parameter anyway:

public function requestClientCredentialsToken() {
        $token_endpoint = $this->getProviderConfigValue('token_endpoint');

        $headers = [];

        $grant_type = 'client_credentials';

        $post_data = [
            'grant_type'    => $grant_type,
            'client_id'     => $this->clientID,
            'client_secret' => $this->clientSecret,
            'scope'         => implode(' ', $this->scopes)
        ];

        // Convert token params to string format
        $post_params = http_build_query($post_data, '', '&', $this->encType);

        return json_decode($this->fetchURL($token_endpoint, $post_params, $headers));
    }

In Keycloak this behaviour is not expected and return an error of invalid scopes.

To solve the error I need to specify the scope openid, but the right way would be the following implementation:

public function requestClientCredentialsToken() {
        $token_endpoint = $this->getProviderConfigValue('token_endpoint');

        $headers = [];

        $grant_type = 'client_credentials';

        $post_data = [
            'grant_type'    => $grant_type,
            'client_id'     => $this->clientID,
            'client_secret' => $this->clientSecret 
        ];
       
        if($this->scopes){
           $post_data['scope']=implode(' ', $this->scopes);
        }

        // Convert token params to string format
        $post_params = http_build_query($post_data, '', '&', $this->encType);

        return json_decode($this->fetchURL($token_endpoint, $post_params, $headers));
    }
@ricklambrechts
Copy link
Contributor

ricklambrechts commented Oct 10, 2023
edited

According to the RFC 6749 (OAuth 2.0) the scope is indeed optional. I think this is a good solution.

DominicDetta pushed a commit to DominicDetta/OpenID-Connect-PHP that referenced this issue Oct 10, 2023
@dominicdettabp
fix(jumbojett#392): avoid to send optional empty scope in a client cr…
8675a52 
…edentials grant
@DominicDetta
Copy link
Author

I created a pull request which need approval by maintainers.

DominicDetta added a commit to DominicDetta/OpenID-Connect-PHP that referenced this issue Oct 10, 2023
@DominicDetta
fix(jumbojett#392): avoid to send optional empty scope in a client cr…
fea9484 
…edentials grant
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ricklambrechts @DominicDetta