[keycloak-user] 4.6.0 Upgrade disables client scopes

Lamina, Marco marco.lamina at sap.com
Wed Nov 21 12:07:37 EST 2018 

To answer your questions:
- I upgraded from 4.5.0 to 4.6.0
- Clicking on "Client Scopes" and "Evaluate", all scopes are shown as expected
- Even when I create a new client and add the scope, it is not added to the token

Thanks,
Marco
 

On 11/21/18, 5:19 AM, "Marek Posolda" <mposolda at redhat.com> wrote:

    No, it doesn't need to be updated in any profile like Token Exchange.
    
    Question is, from which version you upgraded? Note that during upgrade 
    to 4.0.0, the realm default client scopes are not automatically linked 
    to the clients. Thing is, that clients from previous version already has 
    some protocolMappers defined on them, so the clientScopes are not added 
    to it. You may need to do change your clients manually and remove 
    protocolMappers from them and link them to default client scopes.
    
    Just the new clients, which you will create now through admin UI, will 
    have the client scopes added to them. See details in the docs: 
    https://www.keycloak.org/docs/latest/upgrading/index.html#client-templates-changed-to-client-scopes
    
    BTV. When you're on client, you can click to "Client Scopes" and then 
    "Evaluate" to see what are applied client scopes and check what 
    clientScopes will be applied based on the value of "scope" parameter.
    
    Marek
    
    On 21/11/2018 01:55, Lamina, Marco wrote:
    > Hi,
    > I upgraded to 4.6.0 using the Kubernetes Helm chart. After the upgrade, token exchange stopped working, which I was able to fix thanks to [1]. Unfortunately, none of my client scopes are working anymore. Trying to get a token using client credentials succeeds, but anything I pass into the “scope” parameter is ignored and none of my default client scopes are applied. The “scope” claim in the token endpoint response is always empty.
    > Is that a feature that needs to be enabled similar to the token exchange?
    >
    > [1] https://stackoverflow.com/questions/53367566/unable-to-setup-idp-token-exchange-in-keycloak-4-6-0-final
    >
    > Thanks,
    > Marco
    >
    > _______________________________________________
    > keycloak-user mailing list
    > keycloak-user at lists.jboss.org
    > https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list