My authorization request includes these scopes: openid profile email. However, an id_token is not returned when I send a request to the token_endpoint on Keycloak 18:
I’m redirecting the user to the authorization URL (authorization_endpoint) with ?scope=openid profile email. So I am, in fact, including openid as a scope in my initial auth request.
The JSON response posted above is the result of calling the token_endpoint endpoint (/token) after the user has logged in. I’m expecting an id_token key present in the JSON response.
Thanks @zak, turns out the library that I was using was doing scopes= instead of scope=, it has a comment:
if self.provider == PROVIDER_KEYCLOAK:
# for some reason Keycloak does not accept multiple
# values for the `scope` GET arg. Instead we'll
# use `scopes`. confused.jpg
url += f"&scopes={scopes}"
Which is (perhaps) a hack for an older version of Keycloak. So, I changed it to scope= and now it works.