supabase
fix: Add openid scope by default for Keycloak
What kind of change does this PR introduce?
Bug fix
What is the current behavior?
Since Keycloak 19, this is required for the userinfo endpoint to work.
If you try to use Supabase with modern Keycloak, authentication fails with "Error getting user profile from external provider".
What is the new behavior?
Login with Keycloak works.
Additional context
Hi! I'm aware of the ability to set scopes manually (That's how I verified adding the scope fixes the problems I was experiencing), but in my opinion, you should have working defaults.
According to the docs, the openid scope should work with keycloak 18, but I'll check if I can set up a test instance to try.
I'm not sure how many versions you want to be backwards compatible with, so if you have a specific version in mind I can try, please let me know.
@AaronDewes we don't have a minimum keycloak version enforced unfortunately, so if there's someone out there using this library with an old keycloak version that does not support this scope, then it will break things for them if they are using Supabase.
you should have working defaults.
I do agree with this point, and i think it should be relatively safe for us to add this as long as the last 3 major keycloak versions support the openid scope.
it would also be great if you can fix the test 🙏
Great! I'll have a look at the tests. The latest Keycloak major version is 26, so last 3 major versions are definitely not a problem (All of these versions were broken before). Red Hat SSO (which was recently replaced by "Keycloak Red Hat build") also supports this in its last (probably LTS) version.
@AaronDewes Perhaps we can check the keycloak version somehow to see if the openid scope is needed? I'm a little concerned that going back 3 versions may not be enough for some people using this provider. Some links to documentation or something concrete to help determine if this change is safe would be ideal.
