Error when getting token using client scopes (works on Keycloak v8/9 but not on v10)

asocha · June 22, 2020, 3:43pm

Hi,
I am working on the issue we have with Ovirt Engine + Keycloak integration. It all works well with Keycloak 8/9 but not with 10.
I am trying to figure out what actually was changed with 10 that affected the area of obtaining token and scope validation in particular.

{"error_description":"Cannot authenticate user Invalid scopes: ovirt-app-api ovirt-ext=revoke:revoke-all ovirt-ext=token-info:authz-search ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate ovirt-ext=token:password-access.","error":"access_denied"}

Perhaps it is a misconfiguration on our side but, frankly speaking, I have no clue how identify it.
I have all the details put under this Bugzilla ticket

The call is ‘proxied’ via ovirt engine application but eventually hits:
https://keycloak.example.com/auth/realms/master/protocol/openid-connect/token

Any help/ideas greatly appreciated.

dionmcm · July 23, 2020, 1:33am

I’m having similar issues going from 9 to 10.

In my case wherever a scope is requested that Keycloak doesn’t know about it seems that

Keycloak 9 ignores the unknown requested scope
Keycloak 10 rejects the unknown requested scope with an invalid_scope response

Both behaviours seem valid under the spec

Section 3.3 includes the following statement

The authorization server MAY fully or partially ignore the scope
requested by the client, based on the authorization server policy or
the resource owner’s instructions. If the issued access token scope
is different from the one requested by the client, the authorization
server MUST include the “scope” response parameter to inform the
client of the actual scope granted.

And invalid_scope is defined throughout the document as

    invalid_scope
         The requested scope is invalid, unknown, or malformed.

Is there a configuration option out there for 10 to choose whether unknown scopes are rejected as invalid or ignored (as Keycloak 9 did)? That would fit with the “based on the authorization server policy or the resource owner’s instructions” and allow Keycloak users to set that policy.

Similarly, any help much appreciated.

jangaraj · August 14, 2020, 1:56pm

IMHO there is no option to ignore unknown scopes.

Keycloak ticket: https://issues.redhat.com/browse/KEYCLOAK-8071
Commit: https://github.com/keycloak/keycloak/commit/cbab159aa87ca5e3443b3e87fdbf8de40542d1d3

Only proper configuration of requested scope should be valid solution.

akhil6095 · August 16, 2020, 2:41pm

Ideally it should be feature flagged to decide whether to ignore invalid scope or not.

Topic		Replies	Views
Keycloak x 17 issue with authorization and multiple scopes Getting advice oidc	3	1376	October 13, 2022
Using Keycloak with 1EdTech Getting advice	0	22	September 11, 2024
Authenticating odoo with Keycloak openid Securing applications	0	920	June 1, 2020
Custom scopes (and related claims) not being included in access token, when requested later for an api resource Getting advice oidc	4	172	January 7, 2025
Allow Unknown Scopes Getting advice	0	140	November 27, 2023

Error when getting token using client scopes (works on Keycloak v8/9 but not on v10)

Related topics