From 852593310f8933e5765225001f8b7414efdb097b Mon Sep 17 00:00:00 2001
From: Douglas Palmer <dpalmer@redhat.com>
Date: Tue, 23 Feb 2021 18:00:07 -0800
Subject: [PATCH] [KEYCLOAK-14913] GitLab Identity Provider shouldn't request
 for 'api' scope

---
 .../org/keycloak/social/gitlab/GitLabIdentityProvider.java    | 4 ++--
 .../theme/base/admin/messages/admin-messages_de.properties    | 2 +-
 .../theme/base/admin/messages/admin-messages_en.properties    | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/services/src/main/java/org/keycloak/social/gitlab/GitLabIdentityProvider.java b/services/src/main/java/org/keycloak/social/gitlab/GitLabIdentityProvider.java
index b781cd4ea0..e16ef24b80 100755
--- a/services/src/main/java/org/keycloak/social/gitlab/GitLabIdentityProvider.java
+++ b/services/src/main/java/org/keycloak/social/gitlab/GitLabIdentityProvider.java
@@ -48,7 +48,7 @@ public class GitLabIdentityProvider extends OIDCIdentityProvider  implements Soc
 	public static final String AUTH_URL = "https://gitlab.com/oauth/authorize";
 	public static final String TOKEN_URL = "https://gitlab.com/oauth/token";
 	public static final String USER_INFO = "https://gitlab.com/api/v4/user";
-	public static final String API_SCOPE = "api";
+	public static final String READ_USER_SCOPE = "read_user";
 
 	public GitLabIdentityProvider(KeycloakSession session, OIDCIdentityProviderConfig config) {
 		super(session, config);
@@ -59,7 +59,7 @@ public class GitLabIdentityProvider extends OIDCIdentityProvider  implements Soc
 		String defaultScope = config.getDefaultScope();
 
 		if (defaultScope.equals(SCOPE_OPENID)) {
-			config.setDefaultScope((API_SCOPE + " " + defaultScope).trim());
+			config.setDefaultScope((READ_USER_SCOPE + " " + defaultScope).trim());
 		}
 	}
 
diff --git a/themes/src/main/resources-community/theme/base/admin/messages/admin-messages_de.properties b/themes/src/main/resources-community/theme/base/admin/messages/admin-messages_de.properties
index 5e72256cec..a5059a5128 100644
--- a/themes/src/main/resources-community/theme/base/admin/messages/admin-messages_de.properties
+++ b/themes/src/main/resources-community/theme/base/admin/messages/admin-messages_de.properties
@@ -648,7 +648,7 @@ key=Key
 #gitlab-application-secret=Application Secret
 #gitlab.application-id.tooltip=Application Id for the application you created in your GitLab Applications account menu
 #gitlab.application-secret.tooltip=Secret for the application that you created in your GitLab Applications account menu
-#gitlab.default-scopes.tooltip=Scopes to ask for on login.  Will always ask for openid.  Additionally adds api if you do not specify anything.
+#gitlab.default-scopes.tooltip=Scopes to ask for on login.  Will always ask for openid.  Additionally adds read_user if you do not specify anything.
 #bitbucket-consumer-key=Consumer Key
 #bitbucket-consumer-secret=Consumer Secret
 #bitbucket.key.tooltip=Bitbucket OAuth Consumer Key
diff --git a/themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties b/themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties
index 0f2bef42ca..9d81b34f37 100644
--- a/themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties
+++ b/themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties
@@ -752,7 +752,7 @@ gitlab-application-id=Application Id
 gitlab-application-secret=Application Secret
 gitlab.application-id.tooltip=Application Id for the application you created in your GitLab Applications account menu
 gitlab.application-secret.tooltip=Secret for the application that you created in your GitLab Applications account menu
-gitlab.default-scopes.tooltip=Scopes to ask for on login.  Will always ask for openid.  Additionally adds api if you do not specify anything.
+gitlab.default-scopes.tooltip=Scopes to ask for on login.  Will always ask for openid.  Additionally adds read_user if you do not specify anything.
 bitbucket-consumer-key=Consumer Key
 bitbucket-consumer-secret=Consumer Secret
 bitbucket.key.tooltip=Bitbucket OAuth Consumer Key