fix client scope non-default, add support too large access tokens on authorization flow (#660)

4rthem · web-flow · commit 2fc14609a1c8 · 2025-09-25T15:22:39.000+02:00
diff --git a/configurator/src/Configurator/Vendor/Keycloak/KeycloakConfigurator.php b/configurator/src/Configurator/Vendor/Keycloak/KeycloakConfigurator.php
@@ -103,7 +103,9 @@ private function configureClients(): void
             'openid',
             'groups',
         ] as $scope) {
-            $this->keycloakManager->createScope($scope);
+            $this->keycloakManager->createScope($scope, [
+                'type' => 'default',
+            ]);
         }
 
         foreach ($this->getAppScopes() as $app => $appScopes) {
@@ -140,7 +142,7 @@ private function configureClients(): void
 
             if (isset($appScopes[$app])) {
                 foreach ($appScopes[$app] as $scope) {
-                    $this->keycloakManager->addScopeToClient($scope, $clientData['id']);
+                    $this->keycloakManager->addScopeToClient($scope, $clientData['id'], false);
                 }
             }
         }
@@ -170,7 +172,7 @@ private function configureClients(): void
             );
 
             foreach ($this->getAppScopes()['databox'] as $scope) {
-                $this->keycloakManager->addScopeToClient($scope, $clientData['id']);
+                $this->keycloakManager->addScopeToClient($scope, $clientData['id'], false);
             }
         }
     }
@@ -240,7 +242,7 @@ private function configureClient(
             'openid',
             'profile',
         ] as $scope) {
-            $this->keycloakManager->addScopeToClient($scope, $clientData['id']);
+            $this->keycloakManager->addScopeToClient($scope, $clientData['id'], true);
         }
 
         return $clientData;
@@ -318,9 +320,9 @@ private function getBooleanEnv(string $name, bool $defaultValue = false): bool
 
     private function configureDefaultClientScopes(): void
     {
-        $rolesScope = $this->keycloakManager->getDefaultClientScopesByName('roles');
+        $rolesScope = $this->keycloakManager->getDefaultClientScopeByName('roles');
         if (null === $rolesScope) {
-            throw new \InvalidArgumentException(sprintf('Scope named "roles" not found in client scopes'));
+            throw new \InvalidArgumentException('Scope named "roles" not found in client scopes');
         }
         $scopeId = $rolesScope['id'];
 
diff --git a/configurator/src/Configurator/Vendor/Keycloak/KeycloakManager.php b/configurator/src/Configurator/Vendor/Keycloak/KeycloakManager.php
@@ -109,11 +109,11 @@ public function getDefaultClientScopes(): array
         ]))->toArray();
     }
 
-    public function getDefaultClientScopesByName(string $name): ?array
+    public function getDefaultClientScopeByName(string $name): ?array
     {
         $scopes = $this->getDefaultClientScopes();
         foreach ($scopes as $scope) {
-            if ('roles' === $scope['name']) {
+            if ($name === $scope['name']) {
                 return $scope;
             }
         }
@@ -232,12 +232,19 @@ private function getScopeByName(string $name): ?array
         return null;
     }
 
-    public function addScopeToClient(string $scope, string $clientId): void
+    public function addScopeToClient(string $scope, string $clientId, bool $isDefault): void
     {
         $scopeData = $this->getScopeByName($scope);
 
         HttpClientUtil::debugError(fn () => $this->getAuthenticatedClient()
-            ->request('PUT', UriTemplate::resolve('{realm}/clients/{clientId}/default-client-scopes/{scopeId}', [
+            ->request('DELETE', UriTemplate::resolve('{realm}/clients/{clientId}/'.(!$isDefault ? 'default' : 'optional').'-client-scopes/{scopeId}', [
+                'realm' => $this->keycloakRealm,
+                'clientId' => $clientId,
+                'scopeId' => $scopeData['id'],
+            ])), 404, []);
+
+        HttpClientUtil::debugError(fn () => $this->getAuthenticatedClient()
+            ->request('PUT', UriTemplate::resolve('{realm}/clients/{clientId}/'.($isDefault ? 'default' : 'optional').'-client-scopes/{scopeId}', [
                 'realm' => $this->keycloakRealm,
                 'clientId' => $clientId,
                 'scopeId' => $scopeData['id'],
diff --git a/lib/php/auth-bundle/Security/OAuthAuthorizationAuthenticator.php b/lib/php/auth-bundle/Security/OAuthAuthorizationAuthenticator.php
@@ -34,6 +34,7 @@ public function __construct(
         private readonly UrlGeneratorInterface $urlGenerator,
         private readonly KeycloakUrlGenerator $keycloakUrlGenerator,
         private readonly AuthStateEncoder $authStateEncoder,
+        private readonly JwtExtractor $jwtExtractor,
         private readonly string $clientId,
     ) {
     }
@@ -61,7 +62,12 @@ public function authenticate(Request $request): Passport
         $accessTokenBadge = new AccessTokenBadge($accessToken);
         $refreshTokenBadge = new RefreshTokenBadge($refreshToken);
 
-        return new SelfValidatingPassport(new UserBadge($accessToken), [
+        $token = $this->jwtExtractor->parseJwt($accessToken);
+        $user = $this->jwtExtractor->getUserFromToken($token);
+
+        return new SelfValidatingPassport(new UserBadge($user->getUserIdentifier(), function () use ($user): JwtUser|JwtOauthClient {
+            return $user;
+        }), [
             $accessTokenBadge,
             $refreshTokenBadge,
         ]);

Original file line number	Diff line number	Diff line change
`@@ -103,7 +103,9 @@ private function configureClients(): void`
`103`	`103`	`'openid',`
`104`	`104`	`'groups',`
`105`	`105`	`] as $scope) {`
`106`		`- $this->keycloakManager->createScope($scope);`
	`106`	`+ $this->keycloakManager->createScope($scope, [`
	`107`	`+ 'type' => 'default',`
	`108`	`+ ]);`
`107`	`109`	`}`
`108`	`110`
`109`	`111`	`foreach ($this->getAppScopes() as $app => $appScopes) {`
`@@ -140,7 +142,7 @@ private function configureClients(): void`
`140`	`142`
`141`	`143`	`if (isset($appScopes[$app])) {`
`142`	`144`	`foreach ($appScopes[$app] as $scope) {`
`143`		`- $this->keycloakManager->addScopeToClient($scope, $clientData['id']);`
	`145`	`+ $this->keycloakManager->addScopeToClient($scope, $clientData['id'], false);`
`144`	`146`	`}`
`145`	`147`	`}`
`146`	`148`	`}`
`@@ -170,7 +172,7 @@ private function configureClients(): void`
`170`	`172`	`);`
`171`	`173`
`172`	`174`	`foreach ($this->getAppScopes()['databox'] as $scope) {`
`173`		`- $this->keycloakManager->addScopeToClient($scope, $clientData['id']);`
	`175`	`+ $this->keycloakManager->addScopeToClient($scope, $clientData['id'], false);`
`174`	`176`	`}`
`175`	`177`	`}`
`176`	`178`	`}`
`@@ -240,7 +242,7 @@ private function configureClient(`
`240`	`242`	`'openid',`
`241`	`243`	`'profile',`
`242`	`244`	`] as $scope) {`
`243`		`- $this->keycloakManager->addScopeToClient($scope, $clientData['id']);`
	`245`	`+ $this->keycloakManager->addScopeToClient($scope, $clientData['id'], true);`
`244`	`246`	`}`
`245`	`247`
`246`	`248`	`return $clientData;`
`@@ -318,9 +320,9 @@ private function getBooleanEnv(string $name, bool $defaultValue = false): bool`
`318`	`320`
`319`	`321`	`private function configureDefaultClientScopes(): void`
`320`	`322`	`{`
`321`		`- $rolesScope = $this->keycloakManager->getDefaultClientScopesByName('roles');`
	`323`	`+ $rolesScope = $this->keycloakManager->getDefaultClientScopeByName('roles');`
`322`	`324`	`if (null === $rolesScope) {`
`323`		`- throw new \InvalidArgumentException(sprintf('Scope named "roles" not found in client scopes'));`
	`325`	`+ throw new \InvalidArgumentException('Scope named "roles" not found in client scopes');`
`324`	`326`	`}`
`325`	`327`	`$scopeId = $rolesScope['id'];`
`326`	`328`
Original file line number	Diff line number	Diff line change
`@@ -109,11 +109,11 @@ public function getDefaultClientScopes(): array`
`109`	`109`	`]))->toArray();`
`110`	`110`	`}`
`111`	`111`
`112`		`- public function getDefaultClientScopesByName(string $name): ?array`
	`112`	`+ public function getDefaultClientScopeByName(string $name): ?array`
`113`	`113`	`{`
`114`	`114`	`$scopes = $this->getDefaultClientScopes();`
`115`	`115`	`foreach ($scopes as $scope) {`
`116`		`- if ('roles' === $scope['name']) {`
	`116`	`+ if ($name === $scope['name']) {`
`117`	`117`	`return $scope;`
`118`	`118`	`}`
`119`	`119`	`}`
`@@ -232,12 +232,19 @@ private function getScopeByName(string $name): ?array`
`232`	`232`	`return null;`
`233`	`233`	`}`
`234`	`234`
`235`		`- public function addScopeToClient(string $scope, string $clientId): void`
	`235`	`+ public function addScopeToClient(string $scope, string $clientId, bool $isDefault): void`
`236`	`236`	`{`
`237`	`237`	`$scopeData = $this->getScopeByName($scope);`
`238`	`238`
`239`	`239`	`HttpClientUtil::debugError(fn () => $this->getAuthenticatedClient()`
`240`		`- ->request('PUT', UriTemplate::resolve('{realm}/clients/{clientId}/default-client-scopes/{scopeId}', [`
	`240`	`+ ->request('DELETE', UriTemplate::resolve('{realm}/clients/{clientId}/'.(!$isDefault ? 'default' : 'optional').'-client-scopes/{scopeId}', [`
	`241`	`+ 'realm' => $this->keycloakRealm,`
	`242`	`+ 'clientId' => $clientId,`
	`243`	`+ 'scopeId' => $scopeData['id'],`
	`244`	`+ ])), 404, []);`
	`245`	`+`
	`246`	`+ HttpClientUtil::debugError(fn () => $this->getAuthenticatedClient()`
	`247`	`+ ->request('PUT', UriTemplate::resolve('{realm}/clients/{clientId}/'.($isDefault ? 'default' : 'optional').'-client-scopes/{scopeId}', [`
`241`	`248`	`'realm' => $this->keycloakRealm,`
`242`	`249`	`'clientId' => $clientId,`
`243`	`250`	`'scopeId' => $scopeData['id'],`