[keycloak-user] kcadm update client seems to ignore defaultClientScopes
Matt Evans
keycloak-user at mattevans.email
Fri Jan 18 00:51:39 EST 2019
Hi Marek
I took your advice and looked at what the console does. It seems that you
have to individually PUT or DELETE each client scope in the
defaultClientScopes and optionalClientScopes.
e.g. PUT /clients/<client id>/defaultClientScopes/<scope id>
I tried to PUT to the /clients/<client id>/defaultClientScopes endpoint to
set all the default client scopes in one go but the method is not allowed.
We currently have our clients deployed using ansible calling kcadm with the
json template, this works well for creating new clients, the default client
scopes are set correctly, but the update of an existing client template
ignores them if they are specified in the json.
Whilst we can add more code to extract the scopes from the template and
individually call DELETE or PUT to adjust them it seems overly complicated.
I guess for now we will delete and create the whole client if we need to
update them.
Are there plans to improve this in the future? It seems inconsistent that
the rest endpoint for the client just ignores those properties for updates,
but accepts them for creates.
Thanks
Matt
On Thu, 17 Jan 2019 at 22:20, Marek Posolda <mposolda at redhat.com> wrote:
> There are separate REST API operations for add/remove default client
> scope or optional client scope. I suggest to try admin console with
> browser and inspect the REST request, which admin console is doing for
> add/remove client scopes for client. This may show you how the REST
> request looks like and you should be able to "translate" this into
> proper format for kcadm then.
>
> Marek
>
> On 17/01/2019 05:27, Matt Evans wrote:
> > Has anyone noticed that updating a client using kcadm seems to ignore the
> > defaultClientScopes property?
> >
> > /opt/keycloak/bin/kcadm.sh update
> > clients/366b5cb2-f4ac-4b81-9ccb-1e8198fec9f9 -r therealm -s
> > 'defaultClientScopes=["web-origins"]' -s name=changedName --no-config
> > --server http://localhost:8080/auth --realm master --user admin --client
> > admin-cli --password xxxx
> >
> > We can update other properties ok, e.g. name, client id, redirectUris all
> > update ok, but defaultClientScopes doesn't change. Also I think
> > optionalClientScopes doesn't change either.
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
More information about the keycloak-user
mailing list