How to get the id_token

1

My authorization request includes these scopes: openid profile email. However, an id_token is not returned when I send a request to the token_endpoint on Keycloak 18:

{
 "access_token": "eyJhbGciOi...",
 "expires_in": 60,
 "not-before-policy": 1661705664,
 "refresh_expires_in": 1800,
 "refresh_token": "eyJhb...",
 "scope": "profile email",
 "session_state": "28951d41-d744-4613-a0eb-f4cefd4fbfcc",
 "token_type": "Bearer"
}

I believe previous versions of Keycloak included this id_token when openid was provided as a scope, but I could be wrong.

How to get an id_token ? I need it for logouts (id_token_hint).

2

add openid here as well.

3

I’m redirecting the user to the authorization URL (authorization_endpoint) with ?scope=openid profile email. So I am, in fact, including openid as a scope in my initial auth request.

The JSON response posted above is the result of calling the token_endpoint endpoint (/token) after the user has logged in. I’m expecting an id_token key present in the JSON response.

4

Just wild guesses:

  • It could be that your token request (the second request that contains the code), does not contain the scopes as mentionned by @bpedersen2
  • It could be that there you are not escaping the query parameter properly (should be ?scope=openid+profile+email)
5

Thanks @zak, turns out the library that I was using was doing scopes= instead of scope=, it has a comment:

if self.provider == PROVIDER_KEYCLOAK:
    # for some reason Keycloak does not accept multiple
    # values for the `scope` GET arg. Instead we'll
    # use `scopes`. confused.jpg
    url += f"&scopes={scopes}"

Which is (perhaps) a hack for an older version of Keycloak. So, I changed it to scope= and now it works.