Keycloak 19.0.2 userinfo endpoints now required openid scope in token

[francoisauclair911]

Hi,

Issue

Keycloak 19.0.2 now requires the access token to include the openid scope in the token. This modules doesn't pass the scope in it's query parameter on auth request.

By missing the openid scope in the token, the user gets redirected to the login screen without any error message. Keycloak logs shows the following

2023-06-20 15:47:58,683 WARN [org.keycloak.events] (executor-thread-146) type=USER_INFO_REQUEST_ERROR, realmId=network, clientId=null, userId=null, ipAddress=18.200.143.123, error=access_denied, auth_method=validate_access_token

Fix Have the following query parameter added to the auth request &scope=openid

See this for more details (section Other Changes) https://github.com/keycloak/keycloak/pull/14237

[marc-farre]

Thanks @francoisauclair911 for your report. openid scope is already present since version 1.2.1 (December 29, 2022): https://github.com/cuzy-app/humhub-modules-auth-keycloak/blob/master/authclient/Keycloak.php#L53

I'm using this module with Keycloak 19, 20 and 21 with success. Can you check the version of the module installed on your Humhub instance?

I close the issue, but you can reopen it if the problem is not solved.