[keycloak-user] 4.6.0 Upgrade disables client scopes

Jernej Porenta jernej.porenta at 3fs.si
Wed Dec 12 14:46:29 EST 2018 

Anyone with the solution to it?

br, Jernej

> On 21 Nov 2018, at 18:07, Lamina, Marco <marco.lamina at sap.com> wrote:
> 
> To answer your questions:
> - I upgraded from 4.5.0 to 4.6.0
> - Clicking on "Client Scopes" and "Evaluate", all scopes are shown as expected
> - Even when I create a new client and add the scope, it is not added to the token
> 
> Thanks,
> Marco
> 
> 
> On 11/21/18, 5:19 AM, "Marek Posolda" <mposolda at redhat.com> wrote:
> 
>    No, it doesn't need to be updated in any profile like Token Exchange.
> 
>    Question is, from which version you upgraded? Note that during upgrade 
>    to 4.0.0, the realm default client scopes are not automatically linked 
>    to the clients. Thing is, that clients from previous version already has 
>    some protocolMappers defined on them, so the clientScopes are not added 
>    to it. You may need to do change your clients manually and remove 
>    protocolMappers from them and link them to default client scopes.
> 
>    Just the new clients, which you will create now through admin UI, will 
>    have the client scopes added to them. See details in the docs: 
>    https://www.keycloak.org/docs/latest/upgrading/index.html#client-templates-changed-to-client-scopes
> 
>    BTV. When you're on client, you can click to "Client Scopes" and then 
>    "Evaluate" to see what are applied client scopes and check what 
>    clientScopes will be applied based on the value of "scope" parameter.
> 
>    Marek
> 
>    On 21/11/2018 01:55, Lamina, Marco wrote:
>> Hi,
>> I upgraded to 4.6.0 using the Kubernetes Helm chart. After the upgrade, token exchange stopped working, which I was able to fix thanks to [1]. Unfortunately, none of my client scopes are working anymore. Trying to get a token using client credentials succeeds, but anything I pass into the “scope” parameter is ignored and none of my default client scopes are applied. The “scope” claim in the token endpoint response is always empty.
>> Is that a feature that needs to be enabled similar to the token exchange?
>> 
>> [1] https://stackoverflow.com/questions/53367566/unable-to-setup-idp-token-exchange-in-keycloak-4-6-0-final
>> 
>> Thanks,
>> Marco
>> 
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> 
> 
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3802 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181212/b48f9bce/attachment-0001.bin

More information about the keycloak-user mailing list