From d97d62dead0a7b75929dec89ab072b87a0d889dd Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Fri, 17 Nov 2023 10:50:32 +0100 Subject: [PATCH] docs: Mention that Keycloak requires openid scope See: https://www.keycloak.org/docs/latest/upgrading/index.html#userinfo-endpoint-changes Signed-off-by: Christian Heimes Reviewed-By: Alexander Bokovoy --- doc/workshop/12-external-idp-support.rst | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/doc/workshop/12-external-idp-support.rst b/doc/workshop/12-external-idp-support.rst index 8df19bbcd..022c26483 100644 --- a/doc/workshop/12-external-idp-support.rst +++ b/doc/workshop/12-external-idp-support.rst @@ -391,6 +391,11 @@ for Keycloak or Red Hat SSO IdPs. The template expects both Keycloak's realm typically deployed as a part of a larger solution. These options may not be needed for other pre-defined templates like Google or Github. +The `openid` scope is mandatory since +[Keycloak 19.0.2](https://www.keycloak.org/docs/latest/upgrading/index.html#userinfo-endpoint-changes). +Without the `openid` scope, Keycloak refuses userinfo requests with HTTP +response 403: `invalid_scope` `Missing openid scope`. + Associate IdP reference with IPA user -------------------------------------