Hello,
I’m currently testing the new Lightweight Access Token feature in Keycloak version 26.0.8 and have tried configuring a client policy to determine which clients should use the lightweight access token.
Here’s how I proceeded:
-
Configuring the Client Profile “Lightweight-Profile”
In the section Realm Settings → Client Policies → Profiles, I created the profile “lightweight-profile” by clicking on Create client profile. In this profile, I added the executor use-lightweight-access-token by clicking on Add executor. -
Setting up the Client Policy “Lightweight Token Policy”
Still under Realm Settings → Client Policies, I went to the Policies tab and created a new policy by clicking on Create client policy, which I called Lightweight Token Policy.
Then, I chose a condition to identify which clients the policy should apply to. I selected client-scopes and then write “lightweight” in the Expected Scopes and “Optional” for the Scope Type. -
Associating the Client Profile
I associated my lightweight-profile Client Profile with my Client Policy. -
Creating the “lightweight” scope
I created the scope “lightweight” and then added it as optional to my client on the Client tab → my client → Client Scopes → Add client scope → lightweight (set as optional).
Afterward, I wanted to test what I had done. I have two scenarios: one using client_credentials and the other using direct access with grant_type=password. In both cases, it’s the same client (same client_id, same client_secret), and I provide scope=lightweight in the request.
- In the first case, with client_credentials, the token provided is indeed lightweight when the scope lightweight is included and normal if the scope is omitted.
Query :
curl --location 'http://localhost:8080/auth/realms/Lightweight_realm/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Basic Og==' \
--data-urlencode 'client_id=Lightweight' \
--data-urlencode 'client_secret=LsDtFEUWrdP3S5hYKLv6nGN6Vopy0XA2' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'scope=lightweight'
Result :
{
"exp": 1738601498,
"iat": 1738601198,
"jti": "04c25ef1-d87f-40e1-a5fe-12abe83e511d",
"iss": "http://localhost:8080/auth/realms/Lightweight_realm",
"sub": "47ee87d0-b680-460e-b144-592a15379949",
"typ": "Bearer",
"azp": "Lightweight",
"scope": "profile email"
}
- In the second case, with direct access, the token is NOT lightweight, whether or not I provide the lightweight scope.
Query :
curl --location 'http://localhost:8080/auth/realms/Lightweight_realm/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Basic Og==' \
--data-urlencode 'client_id=Lightweight' \
--data-urlencode 'client_secret=LsDtFEUWrdP3S5hYKLv6nGN6Vopy0XA2' \
--data-urlencode 'username=catheline' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'scope=lightweight' \
--data-urlencode 'password=TEST'
Result :
{
"exp": 1738601422,
"iat": 1738601122,
"jti": "0500273b-2d50-49ea-a7fb-eec81a92a130",
"iss": "http://localhost:8080/auth/realms/Lightweight_realm",
"aud": "account",
"sub": "aa73546c-1f21-4ca4-817b-e3fe320432ff",
"typ": "Bearer",
"azp": "Lightweight",
"sid": "58f16b66-4817-4d77-8903-7053234c58a9",
"acr": "1",
"allowed-origins": [
"https://www.keycloak.org"
],
"realm_access": {
"roles": [
"default-roles-lightweight_realm",
"offline_access",
"uma_authorization"
]
},
"resource_access": {
"account": {
"roles": [
"manage-account",
"manage-account-links",
"view-profile"
]
}
},
"scope": "profile email",
"email_verified": true,
[...]
}
My question is, why isn’t the client policy being applied in the second case?
I would also like to ask why the client policy doesn’t seem to apply when I try to use the Evaluate tab in Clients → my client → Client Scopes → Evaluate. Even though I specify the lightweight scope for my client, the policy doesn’t appear to be applied, and the generated access token is not lightweight either…
Any help on this would be much appreciated! Thank you!