Skip to content

scopes_supported metadata should not be used as default in ClientRegistrations #8514

Closed
@martin-v

Description

@martin-v

Describe the bug
The oauth2-client requests all available scopes on the authorization server by default. That includes also scopes for other clients.

ClientRegistration.getScopes() copies all scopes_supported from authorization server metadata into scope config for this client. So the oauth2-client requested on each authorization all of these scopes.

As Keycloak has recently fixed a bug now throwing error on invalid scope requests, this bug will occur for more people.

To Reproduce

  • Install current keycloak >= 10.0.0
  • Create new client
  • Remove some default keycloak or a new created client scopes from Assigned Default Client Scopes and Assigned Optional Client Scopes of this client
  • Try to start a session with this client and oauth2-client.
  • Don't configure spring.security.oauth2.client.registration.${name}.scope (This is a workaround to fix the problem)

Expected behavior

As scopes_supported lists all scopes for all clients on this authorization server it's not a good default.

scopes_supported
RECOMMENDED. JSON array containing a list of the OAuth 2.0
[RFC6749] "scope" values that this authorization server supports.
Servers MAY choose not to advertise some supported scope values
even when this parameter is used.
Source: https://tools.ietf.org/html/rfc8414#section-2

Also, considering that the scope parameter is optional.

scope
OPTIONAL. The scope of the access request as described by
Section 3.3.
Source https://tools.ietf.org/html/rfc6749#section-4.1.1

The best default should be just leave it empty.

Metadata

Metadata

Assignees

Labels

in: oauth2An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)type: bugA general bug

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions