Hi,
we’re using Keycloak to secure our api’s. The api’s is an implementation of the OneRoster 1.2 Standard from 1EdTech. This standard requires client credentials flow and the security specs is taken from their 1EdTech Security Framework.
We’re now in the certification process and we’re failing on two issues regarding the token issuing.
RFC6749 says:
“If the client omits the scope parameter when requesting
authorization, the authorization server MUST either process the
request using a pre-defined default value or fail the request
indicating an invalid scope.”
Keycloak, out of the box, processes the request and returns a token. 1EdTech requires the second option. Fail the request indicating an invalid scope. Is there a way to change this behavior in KeyCloak so that if you request a token and don’t provide any scopes the request will fail?
The second issue is that if you send in several scopes and some/one of the is not valid, 1EdTech want’s the IDP to process the request and return a token with the valid scopes and ignore the not valid scopes. Is there a way to do this in KeyCloak?
Regs,
Frode Sjovatsen