keycloak/keycloak

Realm import skips protocol mappers for static client scopes containing `:`

Closed

#48,563 建立於 2026年4月28日

在 GitHub 查看
 (3 留言) (2 反應) (1 負責人)Java (34,398 star) (8,346 fork)batch import
area/oidchelp wantedkind/bugpriority/lowstatus/auto-bumpteam/core-protocols

描述

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

oidc

Describe the bug

When importing a realm JSON that defines a client scope with : in the name, protocol mappers under that client scope can be silently missing or not applied after import.

This looks related to the dynamic-scope issues fixed in #42142 and #42877. Those fixes appear to cover authorization/token request evaluation, but this report is specifically about realm import behavior.

In my case, I defined a client scope named mcp:tools with an oidc-audience-mapper under it. The realm imported without a clear error, and the scope itself existed, but the audience mapper was not applied, so access tokens requested with that scope did not include the expected aud claim.

Renaming the scope from mcp:tools to mcp.tools made the same mapper import and apply correctly.

Note: mcp:tools is intended to be a static OAuth scope name, not a dynamic/parameterized scope.

Version

26.6.1

Regression

  • The issue is a regression

Expected behavior

Static client scopes containing : should be imported and evaluated as normal static scopes when the dynamic-scopes feature is not enabled/configured.

A client scope named mcp:tools should import all protocol mappers defined under it, the same as a scope named mcp.tools. After import, a token requested with scope=mcp:tools should include claims produced by the imported mapper.

Actual behavior

The realm import completes, and the client scope exists, but the protocol mapper under the mcp:tools scope is missing or not applied.

As a result, the issued access token does not include the expected audience claim.

How to Reproduce?

  1. Create a realm import JSON with a client scope named mcp:tools.
  2. Add that scope to a client as an optional client scope: "optionalClientScopes": ["mcp:tools"]
  3. Add am audience mapper under the mcp:tools client scope:
{
  "name": "mcp-audience",
  "protocol": "openid-connect",
  "protocolMapper": "oidc-audience-mapper",
  "config": {
    "included.custom.audience": "rocketlawyer.com/mcp",
    "access.token.claim": "true",
    "id.token.claim": "false",
    "introspection.token.claim": "true"
  }
}
  1. Start keycloak with -import-realm
  2. Request access token with scope=openid mcp:tools email

Anything else?

Related: #42142 #42877 #42930 #42966

貢獻者指南

技術棧
javarest api
領域
authenticationauthorizationsecurity
議題類型
bug
難度面向新貢獻者的預計實作難度,1 表示很小改動,5 表示專家級工作。
3
預計時間有經驗貢獻者完成調查、實作、測試並準備 pull request 的粗略時間範圍。
1-2 days
活動狀態議題目前的可參與程度:新鮮、活躍、陳舊、阻塞或等待維護者輸入。
blocked
清晰度議題是否清楚說明預期改動、驗收標準和下一步。
clear
前置要求
JavaKeycloak development setupFamiliarity with OIDC protocol mappers
新手友善度1-100 的估計分數,表示該議題對首次貢獻者的友善程度。
40
研究方向
The issue is about realm import skipping protocol mappers when client scope name contains ':' (e.g., 'mcp:tools'). Likely related to dynamic scope handling in import code. Start by examining the realm import logic in classes like `RealmResource` or `ClientScopeImport`. Look at how scope names are parsed and how protocol mappers are associated. The related PRs #42930 and #42966 may provide context on previous fixes for similar issues. Check if the colon is being treated as a delimiter for dynamic scopes, causing the mapper to be dropped. The fix may involve ensuring static scopes with ':' are handled correctly during import.