Hi,
I have 2 separate installations of Keycloak, using a nearly identical setup. One is for testing, the other for production.
Both have a Client using openid-connect with confidential Access Type, with “Service Accounts Enabled” and “Authorization Enabled”. Both have the “Assigned Default Client Scopes” aaa and bbb.
When I generate an access token for one of them, the response contains "scope":"aaa bbb", while the other gets "scope":"bbb aaa"

curl  \
  -d "client_id=myid" \
  -d "client_secret=mysecret" \
  -d "grant_type=client_credentials" \
  "https://mykc/auth/realms/myrealm/protocol/openid-connect/token"

What could be affecting the order of these Client Scopes? I tried removing one of the scopes and adding it again, and did the same for the second scope - nothing seems to affect their order. The Clients were both created the same way.

This was a real pain, but what I ended up doing was deleting the bbb Client Scope, removing all Clients that used it, then recreated the bbb scope, and recreated all of the Clients. This changed the order; my hunch is that maybe the Client Scope creation date or it’s UUID somehow affects the order, but it’s only a guess.