[keycloak-user] 4.6.0 Upgrade disables client scopes
Jernej Porenta
jernej.porenta at 3fs.si
Wed Dec 12 14:46:29 EST 2018
Anyone with the solution to it?
br, Jernej
> On 21 Nov 2018, at 18:07, Lamina, Marco <marco.lamina at sap.com> wrote:
>
> To answer your questions:
> - I upgraded from 4.5.0 to 4.6.0
> - Clicking on "Client Scopes" and "Evaluate", all scopes are shown as expected
> - Even when I create a new client and add the scope, it is not added to the token
>
> Thanks,
> Marco
>
>
> On 11/21/18, 5:19 AM, "Marek Posolda" <mposolda at redhat.com> wrote:
>
> No, it doesn't need to be updated in any profile like Token Exchange.
>
> Question is, from which version you upgraded? Note that during upgrade
> to 4.0.0, the realm default client scopes are not automatically linked
> to the clients. Thing is, that clients from previous version already has
> some protocolMappers defined on them, so the clientScopes are not added
> to it. You may need to do change your clients manually and remove
> protocolMappers from them and link them to default client scopes.
>
> Just the new clients, which you will create now through admin UI, will
> have the client scopes added to them. See details in the docs:
> https://www.keycloak.org/docs/latest/upgrading/index.html#client-templates-changed-to-client-scopes
>
> BTV. When you're on client, you can click to "Client Scopes" and then
> "Evaluate" to see what are applied client scopes and check what
> clientScopes will be applied based on the value of "scope" parameter.
>
> Marek
>
> On 21/11/2018 01:55, Lamina, Marco wrote:
>> Hi,
>> I upgraded to 4.6.0 using the Kubernetes Helm chart. After the upgrade, token exchange stopped working, which I was able to fix thanks to [1]. Unfortunately, none of my client scopes are working anymore. Trying to get a token using client credentials succeeds, but anything I pass into the “scope” parameter is ignored and none of my default client scopes are applied. The “scope” claim in the token endpoint response is always empty.
>> Is that a feature that needs to be enabled similar to the token exchange?
>>
>> [1] https://stackoverflow.com/questions/53367566/unable-to-setup-idp-token-exchange-in-keycloak-4-6-0-final
>>
>> Thanks,
>> Marco
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3802 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181212/b48f9bce/attachment-0001.bin
More information about the keycloak-user
mailing list