7

I am doing sso sample(travelocity.com) example. When I am trying to access user info with oauth access token using this command,

curl -k -H "Authorization: Bearer b68ba941c9da3d2644d8a63154d28" https://localhost:9443/oauth2/userinfo?schema=openid

I am getting follwing error

{"error":"insufficient_scope","error_description":"Access token does not have the openid scope"}

please help, thank you

Community
  • 1
  • 1
deen
  • 2,185
  • 7
  • 29
  • 53

3 Answers3

4

When you make the first request to the authorization endpoint, you have to include openid in the scope request parameter. OpenID Connect Core 1.0, 3.1.2.1. Authentication Request says as follows.

scope

REQUIRED. OpenID Connect requests MUST contain the openid scope value. If the openid scope value is not present, the behavior is entirely unspecified. Other scope values MAY be present. Scope values used that are not understood by an implementation SHOULD be ignored. See Sections 5.4 and 11 for additional scope values defined by this specification.

Takahiko Kawasaki
  • 18,118
  • 9
  • 62
  • 105
4

For those who tried to put scope in request param and it does not works, put it in the request body in POST /token request

curl --location --request POST 'http://keycloak.local.webapp/realms/WordSpreads/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=word-spreads-web' \
--data-urlencode 'username=bob' \
--data-urlencode 'password=king' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'scope=openid'

I think the change happen keycloak-1902-released

Tran Tai
  • 141
  • 1
  • 4
-2

By default the travelocity.com sso sample web app doesn't sent the openid scope in it's access token request. That is the cause for the error you have encountered.

In order to send the openid scope along with the access token request in the travelocity sample you can try the following,

  1. Open travelocity.properties[1] file in the sample web app (You can find it in travelocity.com/WEB-INF/classe)

  2. Uncomment and edit the QueryParams property in the file[1] as shown below

    QueryParams=scope=openid

  3. Save the properties file and redeploy the web app and try the access token generated on the userinfo endpoint now :)

[1] https://github.com/wso2/product-is/blob/master/modules/samples/sso/sso-agent-sample/src/main/resources/travelocity.properties

Update

Looks like the setting the scope in QueryParams isn't working, There's a workaround

Can you change OAuth2.TokenURL in travelocity.propeties as below and try out? I tested this locally and should work.

#OAuth2 token endpoint URL

OAuth2.TokenURL=https://localhost:9443/oauth2/token?scope=openid
farasath
  • 2,961
  • 2
  • 15
  • 16
  • 1
    thanx for responds, I changed my travelocity.property as you told but I am still getting same error. and can you please tell me is there any other way to access userinfo from bearer access toke. – deen May 21 '16 at 10:55
  • did you change it in the web app or did you change it in the source and then built the webapp? – farasath May 21 '16 at 11:18
  • I have changed in source code and then deployed it. – deen May 21 '16 at 11:25
  • 1
    still getting same error, and I think OAuth2.TokenURL is not using anywhere in code. – deen May 21 '16 at 13:03
  • it is used internally by the sso agent reponsible for sending the token request. BTW which version of IS are you trying out? – farasath May 21 '16 at 13:46
  • As per [Takahiko Kawasaki's answer](https://stackoverflow.com/a/37359818/399105), `?scope=openid` needs to be added to the authorize URL, not the token URL. – bmaupin Oct 17 '18 at 15:39