From 9d1b9313402d2e093d6d80ee957b2b9dd09efaa4 Mon Sep 17 00:00:00 2001
From: Aaron Dewes <aaron@runcitadel.space>
Date: Tue, 10 Dec 2024 19:15:50 +0100
Subject: [PATCH 1/2] fix: Add openid scope by default for Keycloak

Since Keycloak 22, this is required for the userinfo endpoint to work.
---
 internal/api/provider/keycloak.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/internal/api/provider/keycloak.go b/internal/api/provider/keycloak.go
index 39ccec5bff..147fd95095 100644
--- a/internal/api/provider/keycloak.go
+++ b/internal/api/provider/keycloak.go
@@ -31,6 +31,7 @@ func NewKeycloakProvider(ext conf.OAuthProviderConfiguration, scopes string) (OA
 	oauthScopes := []string{
 		"profile",
 		"email",
+		"openid",
 	}
 
 	if scopes != "" {

From f7c0aa9fd4577f16b1bcf3fb2372d545d09c09de Mon Sep 17 00:00:00 2001
From: Aaron Dewes <aaron@runcitadel.space>
Date: Thu, 12 Dec 2024 16:26:15 +0100
Subject: [PATCH 2/2] Fix: Add openid scope to test

---
 internal/api/external_keycloak_test.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/internal/api/external_keycloak_test.go b/internal/api/external_keycloak_test.go
index a0952eaace..b2d3ba2cd8 100644
--- a/internal/api/external_keycloak_test.go
+++ b/internal/api/external_keycloak_test.go
@@ -25,7 +25,7 @@ func (ts *ExternalTestSuite) TestSignupExternalKeycloak() {
 	ts.Equal(ts.Config.External.Keycloak.RedirectURI, q.Get("redirect_uri"))
 	ts.Equal(ts.Config.External.Keycloak.ClientID, []string{q.Get("client_id")})
 	ts.Equal("code", q.Get("response_type"))
-	ts.Equal("profile email", q.Get("scope"))
+	ts.Equal("profile email openid", q.Get("scope"))
 
 	claims := ExternalProviderClaims{}
 	p := jwt.NewParser(jwt.WithValidMethods([]string{jwt.SigningMethodHS256.Name}))