Description
Describe the bug
The oauth2-client requests all available scopes on the authorization server by default. That includes also scopes for other clients.
ClientRegistration.getScopes()
copies all scopes_supported
from authorization server metadata into scope config for this client. So the oauth2-client requested on each authorization all of these scopes.
As Keycloak has recently fixed a bug now throwing error on invalid scope requests, this bug will occur for more people.
To Reproduce
- Install current keycloak >= 10.0.0
- Create new client
- Remove some default keycloak or a new created client scopes from
Assigned Default Client Scopes
andAssigned Optional Client Scopes
of this client - Try to start a session with this client and oauth2-client.
- Don't configure
spring.security.oauth2.client.registration.${name}.scope
(This is a workaround to fix the problem)
Expected behavior
As scopes_supported
lists all scopes for all clients on this authorization server it's not a good default.
scopes_supported
RECOMMENDED. JSON array containing a list of the OAuth 2.0
[RFC6749] "scope" values that this authorization server supports.
Servers MAY choose not to advertise some supported scope values
even when this parameter is used.
Source: https://tools.ietf.org/html/rfc8414#section-2
Also, considering that the scope
parameter is optional.
scope
OPTIONAL. The scope of the access request as described by
Section 3.3.
Source https://tools.ietf.org/html/rfc6749#section-4.1.1
The best default should be just leave it empty.