Thanks to visit codestin.com
Credit goes to github.com

Skip to content

hide scopes from scopes_supported in discovery endpoint #10409

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ahus1 merged 3 commits into from
Nov 3, 2025
Merged

hide scopes from scopes_supported in discovery endpoint #10409

ahus1 merged 3 commits into from
Nov 3, 2025

Conversation

@cgeorgilakis
Copy link
Contributor

@cgeorgilakis cgeorgilakis commented Feb 23, 2022

closes #10388

@stianst stianst added team/core area/oidc Indicates an issue on OIDC area labels Aug 30, 2023
@cgeorgilakis cgeorgilakis force-pushed the RCIAM-859-hideFromOpenIDProviderMetadata branch from dabaff3 to b5922c3 Compare June 19, 2024 11:20
@cgeorgilakis cgeorgilakis requested review from a team as code owners June 19, 2024 11:20
@cgeorgilakis
Copy link
Contributor Author

cgeorgilakis commented Jun 19, 2024

I have updated to latest main.
Could you review it in order to be able to hide a scope from scopes_supported in discovery endpoint?

This was referenced Jun 19, 2024
Closed
Closed
@ahus1
Copy link
Contributor

ahus1 commented Jun 19, 2024

The linting in the admin UI complains, please check the logs. I'm switching this PR to "draft" in the meantime. Please switch it back to "ready-for-review" when you want to have it reviewed again.

Unfortunately the Admin UI tests are currently unstable, see #30492 - if those tests fail again, it might be worth waiting for that issue to be closed first and then rebase, or asking a maintainer to re-run the tests.

@ahus1 ahus1 marked this pull request as draft June 19, 2024 12:55
@cgeorgilakis cgeorgilakis force-pushed the RCIAM-859-hideFromOpenIDProviderMetadata branch from b5922c3 to 840ef55 Compare June 20, 2024 06:18
@keycloak-github-bot keycloak-github-bot bot mentioned this pull request Jun 20, 2024
Closed
@dalbani
Copy link
Contributor

dalbani commented Jun 25, 2025

@cgeorgilakis: would you mind refreshing your PR, should you have the time to do so? If not, I'm willing to have a try, so that we can have hopefully have this feature added to Keycloak.
Thanks!

@cgeorgilakis
Copy link
Contributor Author

cgeorgilakis commented Jun 25, 2025

@cgeorgilakis: would you mind refreshing your PR, should you have the time to do so? If not, I'm willing to have a try, so that we can have hopefully have this feature added to Keycloak. Thanks!

Unfortunatelly no this period. Feel free to rebase it and proceed with PR.

@cgeorgilakis cgeorgilakis force-pushed the RCIAM-859-hideFromOpenIDProviderMetadata branch 2 times, most recently from d1c2971 to 0002987 Compare October 23, 2025 06:51
keycloak-github-bot[bot]
keycloak-github-bot bot reviewed Oct 23, 2025
View reviewed changes
Copy link

@keycloak-github-bot keycloak-github-bot bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unreported flaky test detected, please review

@keycloak-github-bot
Copy link

keycloak-github-bot bot commented Oct 23, 2025

Unreported flaky test detected

If the flaky tests below are affected by the changes, please review and update the changes accordingly. Otherwise, a maintainer should report the flaky tests prior to merging the PR.

org.keycloak.testsuite.federation.ldap.LDAPProvidersIntegrationTest#updateLDAPUsernameTest

Keycloak CI - Base IT (5)

org.keycloak.testsuite.runonserver.RunOnServerException: java.lang.NullPointerException
	at org.keycloak.testsuite.client.KeycloakTestingClient$Server.fetchString(KeycloakTestingClient.java:185)
	at org.keycloak.testsuite.federation.ldap.LDAPProvidersIntegrationTest.updateLDAPUsernameTest(LDAPProvidersIntegrationTest.java:1656)
	at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
	at java.base/java.lang.reflect.Method.invoke(Method.java:580)
...

Report flaky test

@cgeorgilakis cgeorgilakis force-pushed the RCIAM-859-hideFromOpenIDProviderMetadata branch 2 times, most recently from 0b59579 to 307bd7e Compare October 24, 2025 06:38
@cgeorgilakis cgeorgilakis marked this pull request as ready for review October 24, 2025 06:40
@cgeorgilakis
Copy link
Contributor Author

cgeorgilakis commented Oct 24, 2025

The linting in the admin UI complains, please check the logs. I'm switching this PR to "draft" in the meantime. Please switch it back to "ready-for-review" when you want to have it reviewed again.

Unfortunately the Admin UI tests are currently unstable, see #30492 - if those tests fail again, it might be worth waiting for that issue to be closed first and then rebase, or asking a maintainer to re-run the tests.

@ahus1 @dalbani I have rebased my PR, making all needed changes. It is ready for review.

@keycloak-github-bot keycloak-github-bot bot mentioned this pull request Oct 24, 2025
Closed
@keycloak-github-bot
Copy link

keycloak-github-bot bot commented Oct 24, 2025

Unreported flaky test detected

If the flaky tests below are affected by the changes, please review and update the changes accordingly. Otherwise, a maintainer should report the flaky tests prior to merging the PR.

org.keycloak.testsuite.federation.ldap.LDAPProvidersIntegrationTest#updateLDAPUsernameTest

Keycloak CI - Base IT (5)

org.keycloak.testsuite.runonserver.RunOnServerException: java.lang.NullPointerException
	at org.keycloak.testsuite.client.KeycloakTestingClient$Server.fetchString(KeycloakTestingClient.java:185)
	at org.keycloak.testsuite.federation.ldap.LDAPProvidersIntegrationTest.updateLDAPUsernameTest(LDAPProvidersIntegrationTest.java:1656)
	at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
	at java.base/java.lang.reflect.Method.invoke(Method.java:580)
...

Report flaky test

keycloak-github-bot[bot]
keycloak-github-bot bot reviewed Oct 24, 2025
View reviewed changes
Copy link

@keycloak-github-bot keycloak-github-bot bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unreported flaky test detected, please review

ahus1
ahus1 requested changes Oct 26, 2025
View reviewed changes
Copy link
Contributor

@ahus1 ahus1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the updated PR. See below for two changes I ask for before this PR can be merged.

js/apps/admin-ui/src/client-scopes/details/ScopeForm.tsx Outdated
Comment on lines 193 to 200
<DefaultSwitchControl
name={convertAttributeNameToForm<ClientScopeDefaultOptionalType>(
"attributes.hide.from.openid.provider.metadata",
)}
label={t("hideFromOpenIdProviderMetadata")}
labelIcon={t("hideFromOpenIdProviderMetadataHelp")}
stringify
/>
Copy link
Contributor

@ahus1 ahus1 Oct 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see that this is visible also for SAML scope. IMHO this should only be visible for OIDC scopes given its name. If there be an equivalent setting for SAML, it should be renamed to something generic.

Copy link
Contributor Author

@cgeorgilakis cgeorgilakis Nov 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I check if it is not SAML. As I have understood, there is also OID4VC_PROTOCOL scopes now.

js/apps/admin-ui/maven-resources/theme/keycloak.v2/admin/messages/messages_en.properties Outdated
Comment on lines 3608 to 3609
hideFromOpenIdProviderMetadata=Hide from OpenID Provider Metadata
hideFromOpenIdProviderMetadataHelp=If on, this client scope will be hidden from OpenID Provider Metadata.
Copy link
Contributor

@ahus1 ahus1 Oct 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is an existing option in the same dialog with the "Include in token scope", and this new option is inverting it by stating "Hide from..."

Please rework this new option to also be name "Include in ...". When doing this, this needs to be inverted to be true by default both in the back end and in the front end.

Copy link
Contributor Author

@cgeorgilakis cgeorgilakis Oct 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The main problem with this logic is the migration process from older version.
As I understand, this will need a migration method for making all scopes include.in.openid.provider.metadata to true .
Do we want it? That's why I named it hide.from.openid.provider.metadata.

Copy link
Contributor

@ahus1 ahus1 Nov 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@cgeorgilakis - thank you for reaching out. I agree a migration method would not be ideal. Instead of a migration, I would suggest to have a default of "true" both in the backend and the frontend. WDYT?

@ahus1 ahus1 self-assigned this Nov 1, 2025
@cgeorgilakis cgeorgilakis force-pushed the RCIAM-859-hideFromOpenIDProviderMetadata branch from ff5e779 to 7d0a2c6 Compare November 3, 2025 09:26
@cgeorgilakis cgeorgilakis force-pushed the RCIAM-859-hideFromOpenIDProviderMetadata branch from 7d0a2c6 to f6f3f66 Compare November 3, 2025 10:56
@cgeorgilakis
Copy link
Contributor Author

cgeorgilakis commented Nov 3, 2025

@ahus1 I have made the requested changes.
The failed test is not PR fault, it is due to Could not resolve dependencies for project org.keycloak:keycloak-quarkus-integration-tests:jar:999.0.0-SNAPSHOT.

@cgeorgilakis cgeorgilakis requested a review from ahus1 November 3, 2025 13:02
@ahus1
Review
c50501c 
Signed-off-by: Alexander Schwartz <[email protected]>
@ahus1
Copy link
Contributor

ahus1 commented Nov 3, 2025

@cgeorgilakis - thank you, looks great. Some small changes here: eosc-kc#1028

As I wasn't allowed push the changes directly (no permission), so I created a PR on top of this PR.

Please merge my PR, and then this PR is ready to be merged.

Best,
Alexander

@ahus1 ahus1 enabled auto-merge (squash) November 3, 2025 15:27
@ahus1 ahus1 merged commit 1c0d461 into keycloak:main Nov 3, 2025
80 checks passed
@keycloak-github-bot keycloak-github-bot bot mentioned this pull request Nov 3, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ahus1 ahus1 ahus1 approved these changes

+1 more reviewer

@keycloak-github-bot keycloak-github-bot[bot] keycloak-github-bot[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@ahus1 ahus1

Labels

area/oidc Indicates an issue on OIDC area flaky-test team/cloud-native team/core-clients team/core-iam team/core-shared team/ui

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Allow to hide client scopes from scopes_supported in discovery endpoint

4 participants

@cgeorgilakis @ahus1 @dalbani @stianst