engine: add scope 'openid' for compatibility with new versions of the…

… keycloak This is linked with this change for V19 and higher: https://www.keycloak.org/docs/latest/upgrading/index.html#userinfo-endpoint-changes Now for request user-info endpoint we need request token with 'openid' scope (this is required scope by standard) Signed-off-by: Melnichuk Stas <melnichuk.stas@gmail.com>
oVirt · Apr 26, 2024 · b94007b · dupondje · Apr 29, 2024 · mwperina
1 parent 0d006fa
commit b94007b
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/...odules/enginesso/src/main/java/org/ovirt/engine/core/sso/service/ExternalOIDCService.java b/...odules/enginesso/src/main/java/org/ovirt/engine/core/sso/service/ExternalOIDCService.java
@@ -52,6 +52,7 @@
 
 public class ExternalOIDCService {
 
+    private static final String OPENID_SCOPE = "openid";
     private static Logger log = LoggerFactory.getLogger(ExternalOIDCService.class);
 
     // Reference to the HTTP client used to send the requests to the SSO server:
@@ -125,6 +126,12 @@ private static SsoSession login(SsoContext ssoContext,
         String externalOidcClientSecret = ssoContext.getSsoLocalConfig().getProperty("EXTERNAL_OIDC_CLIENT_SECRET");
         String scope = SsoService.getScopeRequestParameter(request, "");
 
+        // We should request this scope by RFC (https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest)
+        // to have possibility for working with other oidc endpoints.
+        if( ! scope.contains(OPENID_SCOPE)) {
+            scope = scope + " " + OPENID_SCOPE;
+        }
+
         HttpPost post = createPost(externalOidcTokenEndPoint);
         List<BasicNameValuePair> form = new ArrayList<>();
         form.add(new BasicNameValuePair("client_id", externalOidcClientId));