Add acr scope to all clients for those migrating from older than Keycloak 18

closes #31107

Signed-off-by: mposolda <mposolda@gmail.com>

model/storage-private/src/main/java/org/keycloak/migration/migrators/MigrateTo18_0_0.java

@@ -22,8 +22,10 @@ import org.jboss.logging.Logger;
 import org.keycloak.common.Profile;
 import org.keycloak.migration.MigrationProvider;
 import org.keycloak.migration.ModelVersion;
+import org.keycloak.models.ClientScopeModel;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.RealmModel;
+import org.keycloak.models.utils.KeycloakModelUtils;
 import org.keycloak.representations.idm.RealmRepresentation;
 
 /**
@@ -56,8 +58,14 @@ public class MigrateTo18_0_0 implements Migration {
         if (Profile.isFeatureEnabled(Profile.Feature.STEP_UP_AUTHENTICATION)) {
             MigrationProvider migrationProvider = session.getProvider(MigrationProvider.class);
 
+            ClientScopeModel acrScope = KeycloakModelUtils.getClientScopeByName(realm, "acr");
+            if (acrScope == null) {
                 // create 'acr' default client scope in the realm.
-            migrationProvider.addOIDCAcrClientScope(realm);
+                acrScope = migrationProvider.addOIDCAcrClientScope(realm);
+
+                //add acr scope to all existing OIDC clients
+                session.clients().addClientScopeToAllClients(realm, acrScope, true);
+            }
         }
     }
 }

server-spi-private/src/main/java/org/keycloak/migration/MigrationProvider.java

@@ -76,7 +76,7 @@ public interface MigrationProvider extends Provider {
      * @param realm
      * @return created or already existing client scope 'acr'
      */
-    void addOIDCAcrClientScope(RealmModel realm);
+    ClientScopeModel addOIDCAcrClientScope(RealmModel realm);
 
     /**
      * Add 'basic' client scope or return it if already exists

services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocolFactory.java

@@ -393,7 +393,7 @@ public class OIDCLoginProtocolFactory extends AbstractLoginProtocolFactory {
     }
 
 
-    public void addAcrClientScope(RealmModel newRealm) {
+    public ClientScopeModel addAcrClientScope(RealmModel newRealm) {
         if (Profile.isFeatureEnabled(Profile.Feature.STEP_UP_AUTHENTICATION)) {
             ClientScopeModel acrScope = KeycloakModelUtils.getClientScopeByName(newRealm, ACR_SCOPE);
             if (acrScope == null) {
@@ -411,8 +411,10 @@ public class OIDCLoginProtocolFactory extends AbstractLoginProtocolFactory {
             } else {
                 logger.debugf("Client scope '%s' already exists in realm '%s'. Skip creating it.", ACR_SCOPE, newRealm.getName());
             }
+            return acrScope;
         } else {
             logger.debugf("Skip creating client scope '%s' in the realm '%s' due the step-up authentication feature is disabled.", ACR_SCOPE, newRealm.getName());
+            return null;
         }
     }
 

services/src/main/java/org/keycloak/services/migration/DefaultMigrationProvider.java

@@ -103,8 +103,8 @@ public class DefaultMigrationProvider implements MigrationProvider {
     }
 
     @Override
-    public void addOIDCAcrClientScope(RealmModel realm) {
+    public ClientScopeModel addOIDCAcrClientScope(RealmModel realm) {
-        getOIDCLoginProtocolFactory().addAcrClientScope(realm);
+        return getOIDCLoginProtocolFactory().addAcrClientScope(realm);
     }
 
     @Override

services/src/main/java/org/keycloak/services/resources/account/AccountCredentialResource.java

@@ -302,6 +302,9 @@ public class AccountCredentialResource {
     @Deprecated
     public void removeCredential(final @PathParam("credentialId") String credentialId) {
         auth.require(AccountRoles.MANAGE_ACCOUNT);
+        logger.warnf("Using deprecated endpoint of Account REST service for removing credential of user '%s' in the realm '%s'. It is recommended to use application initiated actions (AIA) for removing credentials",
+                user.getUsername(),
+                realm.getName());
         CredentialModel credential = CredentialDeleteHelper.removeCredential(session, user, credentialId, this::getCurrentAuthenticatedLevel);
 
         if (credential != null && OTPCredentialModel.TYPE.equals(credential.getType())) {

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/migration/AbstractMigrationTest.java

@@ -441,6 +441,7 @@ public abstract class AbstractMigrationTest extends AbstractKeycloakTest {
 
         assertThat(defaultClientScopes, Matchers.hasItems(
                 OIDCLoginProtocolFactory.BASIC_SCOPE,
+                OIDCLoginProtocolFactory.ACR_SCOPE,
                 OAuth2Constants.SCOPE_PROFILE,
                 OAuth2Constants.SCOPE_EMAIL
         ));

testsuite/integration-arquillian/tests/base/src/test/resources/migration-test/migration-realm-19.0.3.json

@@ -643,7 +643,7 @@
     "authenticationFlowBindingOverrides" : { },
     "fullScopeAllowed" : true,
     "nodeReRegistrationTimeout" : -1,
-    "defaultClientScopes" : [ "web-origins", "roles", "profile", "email" ],
+    "defaultClientScopes" : [ "acr", "web-origins", "roles", "profile", "email" ],
     "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ]
   }, {
     "id" : "c11d03ac-b4b0-4581-995c-cc9c2f868b17",

testsuite/integration-arquillian/tests/base/src/test/resources/migration-test/migration-realm-24.0.4.json

@@ -2875,7 +2875,7 @@
     "authenticationFlowBindingOverrides" : { },
     "fullScopeAllowed" : true,
     "nodeReRegistrationTimeout" : -1,
-    "defaultClientScopes" : [ "web-origins", "roles", "profile", "email" ],
+    "defaultClientScopes" : [ "acr", "web-origins", "roles", "profile", "email" ],
     "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ]
   }, {
     "id" : "c11d03ac-b4b0-4581-995c-cc9c2f868b17",