I'm attempting to secure an instance of GraphDB with Keycloak via OpenID. I've created a realm, a client and some users in Keycloak.
I then configured GraphDB based on the documentation. Now, when I click on the "Sign in with OpenID" button on GraphDB's login screen, it keeps me returning to the GraphDB login screen. I noticed an error in Keycloak's log saying:
KC-SERVICES0093: Invalid parameter value for: scope
[org.keycloak.events] (default task-1) type=LOGIN_ERROR, realmId=kodi, clientId=graphdb, userId=null, ipAddress=127.0.0.1, error=invalid_request, response_type=code, redirect_uri=http://localhost:7200/, response_mode=query
I checked the requests made in browser and it seems the following authentication request is the culprit:
http://localhost:8080/auth/realms/kodi/protocol/openid-connect/auth?response_type=code&scope=openid%20%20offline_access&client_id=graphdb&redirect_uri=http://localhost:7200/&&state=530bc478e086b3e6b4474c35b7649c34faf0e0ae1a36f4a36ba3eb2c&code_challenge=W4IA_YvcdXVYJbgApldqdoHePBXZxzToSaPdfgsxTYM&code_challenge_method=S256
I tested it in Postman and the problems seems to be that there are two spaces between the openid and offline_access scope query parameter values. As per documentation, scopes are supposed to be separated by a space, but apparently the problem is that there are two in the GraphDB request. If I manually remove one of the encoded spaces and rerun the request in Postman, it finishes without errors (resulting in the Keycloak login screen).
I'm not sure whether this is a Keycloak (be able to handle multiple spaces in scope params) or GraphDB (do not use two spaces to separate scope params) issue. Also, I couldn't find any configuration parameters to influence this. Any ideas how to resolve/work around this issue? Thanks
Update: I already have a satisfactory answer from Pavel below, but just for future reference, the versions I tried were:
We are aware of the space issue with GraphDB and it will be addressed in a future version. It appears that some OpenID providers are more forgiving with the extra space than others. Unfortunately there is no known workaround at the moment.