Client Scopes in Access Token are listed in wrong order

nosan · August 2, 2022, 9:41am

Hi,
I have 2 separate installations of Keycloak, using a nearly identical setup. One is for testing, the other for production.
Both have a Client using openid-connect with confidential Access Type, with “Service Accounts Enabled” and “Authorization Enabled”. Both have the “Assigned Default Client Scopes” aaa and bbb.
When I generate an access token for one of them, the response contains "scope":"aaa bbb", while the other gets "scope":"bbb aaa"

curl  \
  -d "client_id=myid" \
  -d "client_secret=mysecret" \
  -d "grant_type=client_credentials" \
  "https://mykc/auth/realms/myrealm/protocol/openid-connect/token"

What could be affecting the order of these Client Scopes? I tried removing one of the scopes and adding it again, and did the same for the second scope - nothing seems to affect their order. The Clients were both created the same way.

nosan · August 3, 2022, 2:49pm

This was a real pain, but what I ended up doing was deleting the bbb Client Scope, removing all Clients that used it, then recreated the bbb scope, and recreated all of the Clients. This changed the order; my hunch is that maybe the Client Scope creation date or it’s UUID somehow affects the order, but it’s only a guess.

Topic		Replies	Views
Default Client Scopes not used with newly created client Configuring the server client-configuration	0	887	October 4, 2022
Custom scopes (and related claims) not being included in access token, when requested later for an api resource Getting advice oidc	4	170	January 7, 2025
Keycloak x 17 issue with authorization and multiple scopes Getting advice oidc	3	1375	October 13, 2022
Returning client roles in realm for single client Getting advice	9	3387	July 18, 2024
Dynamic Client Registration: assigned default vs optional scopes Securing applications oidc	1	2627	January 13, 2022

Client Scopes in Access Token are listed in wrong order

Related topics