Add openid scope in Allowed Client Scopes options of client registration access policies

Closes #42339 Signed-off-by: cgeorgilakis-grnet <cgeorgilakis@admin.grnet.gr> Co-authored-by: KONSTANTINOS GEORGILAKIS <55974447+cgeorgilakis@users.noreply.github.com> Co-authored-by: cgeorgilakis-grnet <cgeorgilakis@admin.grnet.gr>
2026-01-09 23:12:06 -03:30 · 2025-09-12 14:19:58 +02:00 · 2025-09-12 14:19:58 +02:00 · cb5a768129
commit cb5a768129
parent d02f6468f0
2 changed files with 8 additions and 1 deletions
--- a/services/src/main/java/org/keycloak/services/clientregistration/policy/impl/ClientScopesClientRegistrationPolicyFactory.java
+++ b/services/src/main/java/org/keycloak/services/clientregistration/policy/impl/ClientScopesClientRegistrationPolicyFactory.java
@ -22,6 +22,7 @@ import java.util.LinkedList;
 import java.util.List;
 import java.util.stream.Collectors;

+import org.keycloak.OAuth2Constants;
 import org.keycloak.component.ComponentModel;
 import org.keycloak.component.ComponentValidationException;
 import org.keycloak.models.ClientScopeModel;
@ -88,7 +89,12 @@ public class ClientScopesClientRegistrationPolicyFactory extends AbstractClientR
        if (realm == null) {
            return Collections.emptyList();
        } else {
-            return realm.getClientScopesStream().map(ClientScopeModel::getName).collect(Collectors.toList());
+            List<String> scopes = realm.getClientScopesStream().map(ClientScopeModel::getName).collect(Collectors.toList());
+            //add openid scope if not exists
+            if (!scopes.contains(OAuth2Constants.SCOPE_OPENID)) {
+                scopes.add(OAuth2Constants.SCOPE_OPENID);
+            }
+            return scopes;
        }
    }

--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/ClientRegistrationPoliciesTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/ClientRegistrationPoliciesTest.java
@ -383,6 +383,7 @@ public class ClientRegistrationPoliciesTest extends AbstractClientRegistrationTe
        List<String> clientScopes = getProviderConfigProperty(clientScopeRep, ClientScopesClientRegistrationPolicyFactory.ALLOWED_CLIENT_SCOPES);
        Assert.assertFalse(clientScopes.isEmpty());
        Assert.assertTrue(clientScopes.contains(OAuth2Constants.SCOPE_PROFILE));
+        Assert.assertTrue(clientScopes.contains(OAuth2Constants.SCOPE_OPENID));
        Assert.assertFalse(clientScopes.contains("foo"));
        Assert.assertFalse(clientScopes.contains("bar"));