[keycloak-user] kcadm update client seems to ignore defaultClientScopes

Marek Posolda mposolda at redhat.com
Fri Jan 18 03:59:05 EST 2019 

Yes, they are few places, where there are inconsistencies between 
creates and updates. And yes, there is plan to improve admin REST API in 
the future to improve and hopefully remove such inconsistencies.

Thanks,
Marek

On 18/01/2019 05:38, Matt Evans wrote:
> Hi Marek
>
> I took your advice and looked at what the console does. It seems that 
> you have to individually PUT or DELETE each client scope in the 
> defaultClientScopes and optionalClientScopes.
>
> e.g. PUT /clients/<client id>/defaultClientScopes/<scope id>
>
> I tried to PUT to the /clients/<client id>/defaultClientScopes  
> endpoint to set all the default client scopes in one go but the method 
> is not allowed.
>
> We currently have our clients deployed using ansible calling kcadm 
> with the json template, this works well for creating new clients, the 
> default client scopes are set correctly, but the update of an existing 
> client template ignores them if they are specified in the json.
>
> Whilst we can add more code to extract the scopes from the template 
> and individually call DELETE or PUT to adjust them it seems overly 
> complicated. I guess for now we will delete and create the whole 
> client if we need to update them.
>
> Are there plans to improve this in the future? It seems inconsistent 
> that the rest endpoint for the client just ignores those properties 
> for updates, but accepts them for creates.
>
> Thanks
>
> Matt
>
>
> On Thu, 17 Jan 2019 at 22:20, Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     There are separate REST API operations for add/remove default client
>     scope or optional client scope. I suggest to try admin console with
>     browser and inspect the REST request, which admin console is doing
>     for
>     add/remove client scopes for client. This may show you how the REST
>     request looks like and you should be able to "translate" this into
>     proper format for kcadm then.
>
>     Marek
>
>     On 17/01/2019 05:27, Matt Evans wrote:
>     > Has anyone noticed that updating a client using kcadm seems to
>     ignore the
>     > defaultClientScopes property?
>     >
>     > /opt/keycloak/bin/kcadm.sh update
>     > clients/366b5cb2-f4ac-4b81-9ccb-1e8198fec9f9 -r therealm -s
>     > 'defaultClientScopes=["web-origins"]' -s name=changedName
>     --no-config
>     > --server http://localhost:8080/auth --realm master --user admin
>     --client
>     > admin-cli --password xxxx
>     >
>     > We can update other properties ok, e.g. name, client id,
>     redirectUris all
>     > update ok, but defaultClientScopes doesn't change. Also I think
>     > optionalClientScopes doesn't change either.
>     > _______________________________________________
>     > keycloak-user mailing list
>     > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

More information about the keycloak-user mailing list