Getting first name, last name and email from Keycloak using Quarkus OIDC integration

Question

When I access the /openid-connect/token endpoint using admin_cli client_id I can see more/different info in the payload of returned access_token compared to when token is injected into my bean by the Quarkus OIDC/Keycloak extension.

Here are some samples:

{
  "exp": 1671084133,
  "iat": 1671083533,
  "jti": "b95bac0a-f95e-413d-b2cd-3b97fcf5f3c8",
  "iss": "http://localhost:51521/realms/my-realm",
  "sub": "cda64011-47a8-4a6a-8aac-06c7db6fc593",
  "typ": "Bearer",
  "azp": "admin-cli",
  "session_state": "be12a28b-4143-4bbf-9914-c8454d93f50f",
  "acr": "1",
  "scope": "profile email",
  "sid": "be12a28b-4143-4bbf-9914-c8454d93f50f",
  "email_verified": false,
  "preferred_username": "test",
  "given_name": "vasia",
  "family_name": "pupkin",
  "email": "test@test.com"
}

Versus

{
  "exp": 1671086253,
  "iat": 1671085653,
  "auth_time": 1671085653,
  "jti": "05e9f66d-54a1-440b-9295-3ebd681a853a",
  "iss": "http://localhost:51521/realms/my-realm",
  "sub": "cda64011-47a8-4a6a-8aac-06c7db6fc593",
  "typ": "Bearer",
  "azp": "my-app",
  "session_state": "ba00821c-1556-4214-90d7-5f2a55b0074a",
  "scope": "openid microprofile-jwt",
  "sid": "ba00821c-1556-4214-90d7-5f2a55b0074a",
  "upn": "test",
  "groups": [
    "offline_access",
    "admin",
    "uma_authorization",
    "default-roles-collar-club"
  ]
}

I'm interested in still getting the groups (for role based access) and given_name, family_name, email properties as well in my Quarkus app. Tried to specify: quarkus.oidc.authentication.scopes=openid,profile,groups - getting error in the url redirected from Keycloak:

2022-12-14 23:11:19,984 DEBUG [io.qua.oid.run.CodeAuthenticationMechanism] (vert.x-eventloop-thread-2) Authentication has failed, error: invalid_scope, description: Invalid scopes: openid openid profile groups

score 0 · Answer 1 · answered Feb 01 '23 at 18:21

0

openid is always added by Quarkus, Keycloak does not like duplicate scope values, so remove openid

answered Feb 01 '23 at 18:21

Sergey Beryozkin

688
1
4
9

After openid removed fails with: 2023-02-02 00:52:14,896 DEBUG [io.qua.oid.run.CodeAuthenticationMechanism] (vert.x-eventloop-thread-3) Authentication has failed, error: invalid_scope, description: Invalid scopes: openid profile groups – zeppelinux Feb 02 '23 at 08:54
I still need your help with this, please. – zeppelinux Feb 23 '23 at 01:54
Hi, I think it is a Keycloak setup issue. As far as Quarkus is concerned it passes the requested scopes to KC. Probably 'groups' is not supported, AFAIK it is enabled indirectly via an mpjwt option in KC. So my guess you need to have openid and profile scopes only, if it does not work then please open a Keycloak Github Discussion and CC me as @sberyozkin, thanks – Sergey Beryozkin Feb 23 '23 at 19:33

score 0 · Answer 2 · answered Mar 24 '23 at 19:28

0

Figured it out... For anybody looking to achieve the same - make sure you have the right scope(s) added to the client in Keycloak (Clients -> Client Scopes -> Add client Scope). screenshot with email scope added

answered Mar 24 '23 at 19:28

zeppelinux

11
3

Getting first name, last name and email from Keycloak using Quarkus OIDC integration

2 Answers2