Before reporting an issue

• I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

identity-brokering

Describe the bug

Today I tried to setup "Login by Amazon" using the OpenID Connect v1.0 provider, but it didn't work as Amazon responds "An unknown scope was requested".
Actually I compiled the configuration by inserting "Scopes = profile", which is an admissible value, but Keycloak sends the value "openid+profile".
In the field tip I read "The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to 'openid'."
I guess I can call it a bug, as I should have the option to not send Amazon the value openid.

Does anyone know where the code to fix this is located?

Version

26.0.4

Regression

• The issue is a regression

Expected behavior

Keycloak should send to the authentication provider only the value (or values) that I enter in the "Scopes" configuration field (ex. profile)

Actual behavior

Today keycloak also concatenates the openid value (ex. openid+profile)

How to Reproduce?

Set up a new OpenID identity provider and try to authenticate

Anything else?

No response