Understanding OIDCLoginProtocol.SCOPE_PARAM in Keycloak

When integrating with Keycloak for OpenID Connect (OIDC) authentication, you might encounter code like:

clientSessionCtx.getClientSession()
    .setNote(OIDCLoginProtocol.SCOPE_PARAM, "openid");

This small line plays a big role in deciding whether you get an ID Token (and identity claims) or just an Access Token.

What is OIDCLoginProtocol.SCOPE_PARAM?

OIDCLoginProtocol.SCOPE_PARAM corresponds to the scope parameter in an OIDC authentication request. Scopes tell the Identity Provider (IdP) what kind of information and tokens the client is asking for.

In OIDC, the "openid" scope is mandatory to receive an ID token.

Case 1: Passing "openid"

Flow

When you set the scope to "openid", Keycloak treats this as an OpenID Connect request:

  1. OIDC flow is triggered instead of pure OAuth 2.0.

  2. Keycloak issues:

    • ID Token (JWT) containing user identity claims.

    • Access Token for API access.

    • Optionally, a Refresh Token.

  3. ID Token contains claims like:

    • sub (subject identifier)

    • name

    • email

    • preferred_username

    • auth_time

Example Output

ID Token (decoded):

{
  "iss": "https://auth.example.com/realms/myrealm",
  "sub": "b9a8c347-xxxx-xxxx-xxxx-4e0f9829e023",
  "preferred_username": "jatin",
  "email": "jatin@example.com",
  "auth_time": 1692349873,
  "iat": 1692349873,
  "exp": 1692353473
}

Access Token is still issued, containing authorization data.

Case 2: Not Passing "openid"

Flow

If you skip setting "openid", Keycloak defaults to pure OAuth 2.0:

  1. No ID Token is issued.

  2. You only get:

    • Access Token (for API calls)

    • Optionally, a Refresh Token.

  3. Limited claims are available, and they’re meant for authorization, not identity.

Example Output

Access Token only:

{
  "iss": "https://auth.example.com/realms/myrealm",
  "sub": "b9a8c347-xxxx-xxxx-xxxx-4e0f9829e023",
  "resource_access": {
    "my-client": { "roles": ["user"] }
  },
  "scope": "profile email"
}

Why This Matters

  • With "openid" → You’re requesting OIDC authentication and full identity info.

  • Without "openid" → You’re using OAuth 2.0 only, suitable for API calls where identity data isn’t needed.

Summary Table

Scenario "openid" Passed "openid" Not Passed
Protocol Mode OIDC OAuth 2.0 only
ID Token ✅ Present ❌ Not issued
Access Token ✅ Present ✅ Present
Identity Claims ✅ Available in ID Token ❌ Limited in Access Token
Use Case User login + profile retrieval API access without login

Key Takeaways

  • Always include "openid" in scope for login flows.

  • Without it, you won’t get ID tokens or full identity claims.

  • Forgetting this in custom Keycloak flows can silently break logic expecting identity info.

Comments

Post a Comment

Popular posts from this blog

Handling Apple "Hide My Email" in Your Login System: Best Practices

Apple’s Hide My Email feature allows users to create randomized relay email addresses (like abcd@privaterelay.appleid.com ) when signing up for apps. These relay addresses forward to the user’s real inbox, keeping their primary email private. While great for privacy, this creates a challenge for app developers: 👉 Should relay emails map to the original account, or should they create entirely new accounts? Let’s explore the scenarios and best practices. 🔹 The Core Problem When a user interacts with your platform, they might: Sign up with their normal email (e.g., user@gmail.com ) Later sign in using Apple’s relay email (e.g., abcd@privaterelay.appleid.com ) Or vice versa — start with the relay email and later try logging in with their normal email. If your system only treats email as the identity key, this results in duplicate accounts , lost history, and poor user experience. 🔹 Key to the Solution: Apple’s Unique Identifier ( sub ) Apple provides a stable, unique ident...
Read more

Understanding the failedLogin() Method with Sequence Diagram

Image
When a login attempt fails, the failedLogin() method is triggered to log the event. Let’s break it down step-by-step so even a fresher can understand: Method Overview public void failedLogin( RealmModel realm, UserModel user, ClientConnection clientConnection) { try { FailedLogin event = new FailedLogin(realm.getId(), user.getId(), clientConnection. getRemoteAddr ()); this.queue.offer(event); event.latch.await(5L, TimeUnit.SECONDS ); } catch ( InterruptedException var5) { // Interrupted while waiting } logger.trace("sent failure event"); } Step-by-Step Explanation: Trigger on Failed Login – Whenever a user enters the wrong credentials, this method is called. Create a Failed Login Event – The FailedLogin object stores details such as: realmId – The security domain in which the login failed. userId – The user who failed to log in. remoteAddress – The IP address from where the attempt was made. Add to...
Read more