keycloak
keycloak copied to clipboard
keycloak
Requested (additional) scopes get lost in token exchange since Kecyloak 24
Before reporting an issue
- [X] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
oidc
Describe the bug
Before Keycloak 24 (for example 23.0.7) it was possible to request scopes when doing a token exchange. For example it was possible to request a token with scope offline_access. Since Keycloak 24 the requested scopes get discarded when the original access token does not contain them.
This may be related to the changes from #21638, #24323 or #12043.
Version
24.0.4
Regression
- [X] The issue is a regression
Expected behavior
Obtained token from token exchange should contain scope offline_access.
Actual behavior
Token contains only the scopes that the original token before the token exchange had, in this example only openid.
How to Reproduce?
1.) Obtain an access token with scope openid
curl -i -X POST \
-H "Content-Type:application/x-www-form-urlencoded" \
-d "grant_type=password" \
-d "username=my-user" \
-d "password=my-password" \
-d "scope=openid" \
-d "client_id=testclient" \
'https://my-keycloak.org/auth/realms/acme/protocol/openid-connect/token'
2.) Exchange token, i.e. with additional scope offline_access
curl -i -X POST \
-H "Content-Type:application/x-www-form-urlencoded" \
-d "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
-d "subject_token=my-token" \
-d "audience=my-audience" \
-d "scope=offline_access" \
-d "client_id=testclient" \
'https://my-keycloak.org/auth/realms/acme/protocol/openid-connect/token'
The resulting token since Keycloak 24 only contains the scope openid but not offline_access. Keycloak 23 contained both scopes in the resulting token.
Anything else?
No response
