preamble
In Keycloak 14.0.0, using theprotocol/openid-connect/auth
When the interface gets an authorization code, thescope
The parameter is optional, but it does serve a purpose. Here's what you need to know about thescope
Some details of the parameters:
1. scope
Role of parameters
-
Defining Permissions:
scope
Used to declare the resources and permissions for which access is requested. Common values includeopenid
、profile
、email
etc. -
Data affecting returns: If you specify in your authorization request certain
scope
In a subsequent token request, Keycloak will use thesescope
Returns the appropriate information.
- openid is used to indicate that the requester wishes to authenticate using OpenID Connect
- Get ID Token: When you include openid in the authorization request, Keycloak will return an ID Token containing the user's identity information, conversely, without openid in the scope, the ID Token field will not be generated.
2. Use at different stagesscope
-
Authorization request phase (
/protocol/openid-connect/auth
):- transferable
scope
parameter to specify the requested permissions when the user agrees to authorization.
- transferable
-
Token request phase (
/protocol/openid-connect/token
):- It can also be passed at this stage
scope
, but typically, if an authorization request has been specified in thescope
, then you do not need to specify it again here; - Specified in the authorization
scope
, it is invalid to specify it again here toThe value specified in the authorization
serve as the norm
- It can also be passed at this stage
3. Examples
The following is an example of a request to get an authorization code:
GET /auth/realms/{realm}/protocol/openid-connect/auth?
response_type=code&
client_id={client_id}&
redirect_uri={redirect_uri}&
scope=openid profile
4. Summary
-
suggestion: Although
scope
is optional in authorization requests, but to ensure that the correct permissions and data are obtained, it is recommended to include thescope
Parameters. -
take note of: In the actual development, rationalize the configuration according to your application needs
scope
It's very important.
fulfill
oauth2 authorization code authentication process
1. Configure the client and scope template
- Default template, permissions in the default template are enabled regardless of whether the application passes scope or not
- Optional templates, chosen by the user, are represented by scope, which is appended to the default template.
2. Obtaining an authorization code
- The scope embodies getting the user's email, a step that is made public by the user's own choices
- address:/auth/realms/{realm}/protocol/openid-connect/auth?client_id=dahengshuju&scope=profile email&redirect_uri=&response_type=code
3. Form certification
- Prompts the user to enter their account password to log in
- After a successful login, redirect to the source page with the code code
- The code expires immediately after one use.
4. Obtaining a token
- With step 3, get the code, which limits the scope of authorization by scope [i.e., token and get the set of fields contained in the user's information]
- Step 2 specified the scope, this step to specify the scope is invalid, choose one of the two can be
- address:/auth/realms/{realm}/protocol/openid-connect/token
- Request form type: x-www-form-urlencoded
- Request Parameters
grant_type:authorization_code
code:3be438fe-8651-4a84-8141-976b76e671e1.75cab95f-a1ec-4b9b-9a6e-8f1ecb651cd6.61d819de-33e4-4006-ae66-dd7609ea2d3e
client_id:dahengshuju
client_secret:9e3de70f-d5cd-4d11-a8aa-85fd3af13265
scope:profile
- This is the token for the scope as profile email
{
"exp": 1727233162,
"iat": 1727231362,
"auth_time": 1727229121,
"jti": "bb296d9d-d521-45b1-aab9-8cb6bea0ddc3",
"iss": "/auth/realms/xx",
"sub": "347c9e9e-076c-45e3-be74-c482fffcc6e5",
"typ": "Bearer",
"azp": "dahengshuju",
"session_state": "75cab95f-a1ec-4b9b-9a6e-8f1ecb651cd6",
"acr": "0",
"scope": "email profile",
"email_verified": false,
"preferred_username": "test",
"locale": "zh-CN",
"email": "bfyxzls@"
}
- This is the token with scope as profile, there is no email information in it
{
"exp": 1727233521,
"iat": 1727231721,
"auth_time": 1727229121,
"jti": "f7de8ad9-7558-4f4a-8761-8724f685febb",
"iss": "/auth/realms/xx",
"sub": "347c9e9e-076c-45e3-be74-c482fffcc6e5",
"typ": "Bearer",
"azp": "dahengshuju",
"session_state": "75cab95f-a1ec-4b9b-9a6e-8f1ecb651cd6",
"acr": "0",
"scope": "profile",
"preferred_username": "test",
"locale": "zh-CN"
}
5. Obtaining user information via access_token
- The user information is mainly parsing the content in the token
- address:/auth/realms/{realm}/protocol/openid-connect/userinfo
- Request header: Authorization: Bearer
{
"sub": "347c9e9e-076c-45e3-be74-c482fffcc6e5",
"email_verified": false,
"preferred_username": "test",
"locale": "zh-CN",
"email": "xxx@"
}