search

keycloak / keycloak-operator

ARCHIVED Kubernetes Operator for the no longer supported WildFly distribution of Keycloak
Apache License 2.0
432 stars 280 forks source link

Self defined client scopes remove all default client scopes #497

Closed manu11th closed 1 year ago

manu11th commented 2 years ago

Describe the bug

A KeycloakRealm CR with clientScopes field defined and containing some self defined client scopes creates a realm at keycloak which only contains the self-defined client scopes and NOT the default client scopes like email, profile, address, roles, role_list, etc.

Version

16.1.0

Expected behavior

When creating a KeycloakRealm CR with clientScopes field defined and containing some self defined client scopes, a realm is created which contains the self-defined client scopes AND the default client scopes like email, profile, roles, address, etc.

Actual behavior

When creating a KeycloakRealm CR with clientScopes field defined and containing some self defined client scopes, a realm is created which only contains the self-defined client scopes and NOT the default client scopes like email, profile, address, roles, role_list, etc.

How to Reproduce?

Create a realm with no client scopes defined:

apiVersion: keycloak.org/v1alpha1
kind: KeycloakRealm
metadata:
  name: test-realm
  labels:
    realm: test-realm
spec:
  instanceSelector:
    matchLabels:
      keycloak: keycloak-label
  realm:
    id: "test"
    realm: "test"
    enabled: True
    displayName: "test Realm"

Have a look into the keycloak UI and see all the default client scopes like email, address, role, etc.

Now create another realm with client scopes defined:

apiVersion: keycloak.org/v1alpha1
kind: KeycloakRealm
metadata:
  name: test-realm
  labels:
    realm: test-realm
spec:
  instanceSelector:
    matchLabels:
      keycloak: keycloak-label
  realm:
    realm: "test"
    enabled: True
    displayName: "test Realm"
    clientScopes:
      - name: additional-token-claims
        protocol: openid-connect
        protocolMappers:
          - name: realm-claim-mapper
            protocol: openid-connect
            protocolMapper: oidc-hardcoded-claim-mapper
            config:
              access.token.claim: "true"
              userinfo.token.claim: "true"
              id.token.claim: "true"
              claim.name: test
              claim.value: my-test-value
              jsonType.label: String

Have a look into the keycloak UI and compare the client scopes of the two created realms. The first contains all default client scopes, the second one only contains the self defined client scopes.

Anything else?

andreaTP commented 2 years ago

Hi @manu11th ,

I do believe that this is the actual behaviour of the keycloak distribution itself, and is not something introduced by the operator.

Do you want to elaborate on the reason for opening this issue in this repo other than in keycloak/keycloak with a repro directly using the REST API?

stianst commented 1 year ago

Thanks (again) for reporting this issue. Keycloak 19 was the last version that included this legacy Operator, and with the release of Keycloak 20 the Operator reached EOL and this repository will be archived, please see our blog post on this topic. If this issue is still valid for the Realm Operator, please re-open it there. Thanks for your understanding. And be sure to check out our new Operator!