EDC 0.5.1 - OAuth2 Identity Service extension: scope empty and keycloak gives back error

[idoiamurua]

Bug Report

Describe the Bug

We have been using 0.3.1 version of the EDC connector together with the OAuth2 Identity Service extension. We used keycloak as the Identity Server.
Now, we have upgraded the EDC connector to version 0.5.1, and we are having problems when the connector tries to get a token from keycloak. The connector invokes the Keycloak service specified at edc.oauth.token.url configuration parameter (e.g.: /realms/bcssd/protocol/openid-connect/token) posting the following data:

grant_type=client_credentials&scope=&client_assertion=

where scope is empty,.
Keycloak server answers with the following error message:

{"error":"invalid_scope","error_description":"Invalid.scopes:."}

Expected Behavior

May be if no scope parameter is sent to keycloak when invoking edc.oauth.token.url service, keycloak would return the token correctly.

Observed Behavior

Keycloak returns the following error:
{"error":"invalid_scope","error_description":"Invalid.scopes:."}

Steps to Reproduce

1. Configure 2 EDC connectors with OAuth2 Identity Service extension.
2. Start the 2 EDC connectors.
3. Invoke any management service that requires to send a message from one connector to the other, e.g.: /management/v2/catalog/request

curl --location 'http://bcssd2.tri.lan:9193/management/v2/catalog/request' \
--header 'X-API-Key;' \
--header 'Content-Type: application/json' \
--data-raw '{
      "@context": {
        "edc": "https://w3id.org/edc/v0.0.1/ns/"
      },
      "providerUrl": "http://bcssd1.tri.lan:9194/protocol",
      "counterPartyAddress": "http://bcssd1.tri.lan:9194/protocol",
      "protocol": "dataspace-protocol-http"
    }'

4. Check error returned:

[
    {
        "message": "Unable to obtain credentials: Server response to [POST, http://ekodata2.tri.lan:8080/realms/bcssd/protocol/openid-connect/token] was not one of [200] but was 400: {\"error\":\"invalid_client\",\"error_description\":\"Client authentication with signed JWT failed: Token reuse detected\"}",
        "type": "BadGateway",
        "path": null,
        "invalidValue": null
    }
]

Context Information

• Used version EDC v0.5.1
• OS: Linux
• Keycloak version: image: quay.io/keycloak/keycloak:22.0.3

Possible Implementation

Remove scope parameter when invoking edc.oauth.token.url ?

[github-actions]

Thanks for your contribution 🔥 We will take a look asap 🚀