Fowarding scopes when initializing the JS adapter

Closes #35060 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2026-01-10 15:32:05 -03:30 · 2024-11-18 17:27:30 -03:00 · 2024-11-18 17:27:30 -03:00 · 0d32d03c58
commit 0d32d03c58
parent 9c348562b5
4 changed files with 35 additions and 1 deletions
--- a/js/apps/account-ui/maven-resources/theme/keycloak.v3/account/index.ftl
+++ b/js/apps/account-ui/maven-resources/theme/keycloak.v3/account/index.ftl
@ -165,7 +165,8 @@
          "updateEmailActionEnabled": ${updateEmailActionEnabled?c},
          "isViewGroupsEnabled": ${isViewGroupsEnabled?c},
          "isOid4VciEnabled": ${isOid4VciEnabled?c}
-        }
+        },
+        "scope": "${scope!""}"
      }
    </script>
  </body>
--- a/js/libs/ui-shared/src/context/KeycloakContext.tsx
+++ b/js/libs/ui-shared/src/context/KeycloakContext.tsx
@ -70,6 +70,7 @@ export const KeycloakProvider = <T extends BaseEnvironment>({
        onLoad: "check-sso",
        pkceMethod: "S256",
        responseMode: "query",
+        scope: environment.scope,
      });

    init()
--- a/js/libs/ui-shared/src/context/environment.ts
+++ b/js/libs/ui-shared/src/context/environment.ts
@ -19,6 +19,8 @@ export type BaseEnvironment = {
  logo: string;
  /** The URL to be followed when the logo is clicked. */
  logoUrl: string;
+  /** The scopes to be requested when sending authorization requests*/
+  scope?: string;
 };

 /**
--- a/services/src/main/java/org/keycloak/services/resources/account/AccountConsole.java
+++ b/services/src/main/java/org/keycloak/services/resources/account/AccountConsole.java
@ -13,6 +13,9 @@ import org.keycloak.authentication.requiredactions.DeleteAccount;
 import org.keycloak.common.Profile;
 import org.keycloak.common.Version;
 import org.keycloak.common.util.Environment;
+import org.keycloak.models.AuthenticatedClientSessionModel;
+import org.keycloak.models.UserSessionModel;
+import org.keycloak.protocol.oidc.OIDCLoginProtocol;
 import org.keycloak.protocol.oidc.utils.PkceUtils;
 import org.keycloak.utils.SecureContextResolver;
 import org.keycloak.models.AccountRoles;
@ -143,6 +146,12 @@ public class AccountConsole implements AccountResourceProvider {
        map.put("resourceCommonUrl", Urls.themeRoot(serverBaseUri).getPath() + "/common/keycloak");
        map.put("resourceVersion", Version.RESOURCES_VERSION);

+        var requestedScopes = getRequestedScopes();
+
+        if (requestedScopes != null) {
+            map.put(OIDCLoginProtocol.SCOPE_PARAM, requestedScopes);
+        }
+
        String[] referrer = getReferrer();
        if (referrer != null) {
            map.put("referrer", referrer[0]);
@ -353,4 +362,25 @@ public class AccountConsole implements AccountResourceProvider {
        return new String[]{referrer, referrerName, referrerUri};
    }

+    private String getRequestedScopes() {
+        if (auth == null) {
+            return null;
+        }
+
+        UserSessionModel userSession = auth.getSession();
+
+        if (userSession == null) {
+            return null;
+        }
+
+        for (AuthenticatedClientSessionModel c : userSession.getAuthenticatedClientSessions().values()) {
+            ClientModel client = c.getClient();
+
+            if (Constants.ACCOUNT_CONSOLE_CLIENT_ID.equals(client.getClientId())) {
+                return c.getNote(OIDCLoginProtocol.SCOPE_PARAM);
+            }
+        }
+
+        return null;
+    }
 }