Brokering an OAuth 2.0 identity

Getting advice
,
1

Hi there,

I am trying to add Amazon Login as an Identity Provider in my Keycloak application deployed on AWS. Login with Amazon (LWA) is an OAuth 2.0 IdP.
I tried setting it up as an OIDC IdP. However, LWA throws an error calling out “openid” as an invalid scope. Is there any way to add a custom OAuth 2.0 IdP?

Thanks!

2

Can you post your full config? You can customize the scopes that get sent in the Advanced section of the IdP setup.

3

Looks like the supported scopes are:

REQUIRED. The scope of the request. Must be profile, profile:user_id, postal_code, or some combination, separated by spaces (e.g. profile%20postal_code). For more information, see Customer Profile.

4

So I’ve chosen “OpenID Connect v1” in the Add Provider dropdown in Identity Providers tab. Filled in the following details:

Authorization URL: https://www.amazon.com/ap/oa
Token URL: https://api.amazon.com/auth/o2/token
Client Authentication: Client secret sent as post
Client ID: <client_id>
Client Secret: <client_secret>
Default Scopes: profile

Even after setting the default scope as “profile”, I still see the login request sent with the scope param as “openid+profile”. I don’t seem to find the “Advanced” section on the Admin console. Could you please let me know where that is? Thanks!

5

Scroll down and there is an Advanced link to open an additional section.

image
image2549×1336 144 KB

6

After configuring the scope here as “profile”, I see that the scope in the auth request is still set to “openid+profile”. I would like it to be set to only “profile”. Is there any way to configure this?

7

Looks like the code adds openid by default. I don’t know a way to remove it.

8

Seems like a reasonable request. I recommend you file an issue for this; include a link here as Login with Amazon should be a motivating example.

9

The Keycloak IdP configuration is about OIDC, Amazon is an OAuth 2 IdP…
Although the former is based on the latter, it’s two different things.
For doing OIDC, the scope openid is required; without, it’s just plain OAuth2. And, to repeat myself, Keycloak is doing OIDC here, not OAuth2. :man_shrugging:

10

Agreed. However, I believe having a generic IdP configuration for OAuth 2.0 would be better. Looks like Keycloak already supports OAuth 2.0, but not a generic page to configure the provider. The configurations are specific to individual social providers.

Currently, I’ve resolved this by implementing Keycloak’s SocialIdentityProvider interface and placed it as a Java JAR in ${keycloak.home.dir}/providers.

https://www.keycloak.org/docs/latest/server_development/#_providers