Brokering an OAuth 2.0 identity

Hi there,

I am trying to add Amazon Login as an Identity Provider in my Keycloak application deployed on AWS. Login with Amazon (LWA) is an OAuth 2.0 IdP.
I tried setting it up as an OIDC IdP. However, LWA throws an error calling out “openid” as an invalid scope. Is there any way to add a custom OAuth 2.0 IdP?

Thanks!

Can you post your full config? You can customize the scopes that get sent in the Advanced section of the IdP setup.

Looks like the supported scopes are:

REQUIRED. The scope of the request. Must be profile, profile:user_id, postal_code, or some combination, separated by spaces (e.g. profile%20postal_code). For more information, see Customer Profile.

So I’ve chosen “OpenID Connect v1” in the Add Provider dropdown in Identity Providers tab. Filled in the following details:

Authorization URL: https://www.amazon.com/ap/oa
Token URL: https://api.amazon.com/auth/o2/token
Client Authentication: Client secret sent as post
Client ID: <client_id>
Client Secret: <client_secret>
Default Scopes: profile

Even after setting the default scope as “profile”, I still see the login request sent with the scope param as “openid+profile”. I don’t seem to find the “Advanced” section on the Admin console. Could you please let me know where that is? Thanks!

Scroll down and there is an Advanced link to open an additional section.

After configuring the scope here as “profile”, I see that the scope in the auth request is still set to “openid+profile”. I would like it to be set to only “profile”. Is there any way to configure this?

Looks like the code adds openid by default. I don’t know a way to remove it.

Seems like a reasonable request. I recommend you file an issue for this; include a link here as Login with Amazon should be a motivating example.

The Keycloak IdP configuration is about OIDC, Amazon is an OAuth 2 IdP…
Although the former is based on the latter, it’s two different things.
For doing OIDC, the scope openid is required; without, it’s just plain OAuth2. And, to repeat myself, Keycloak is doing OIDC here, not OAuth2. :man_shrugging:

Agreed. However, I believe having a generic IdP configuration for OAuth 2.0 would be better. Looks like Keycloak already supports OAuth 2.0, but not a generic page to configure the provider. The configurations are specific to individual social providers.

Currently, I’ve resolved this by implementing Keycloak’s SocialIdentityProvider interface and placed it as a Java JAR in ${keycloak.home.dir}/providers.

https://www.keycloak.org/docs/latest/server_development/#_providers