Dynamic Client Registration: assigned default vs optional scopes

asoorm · January 13, 2022, 1:03pm

We have concept of “Assigned Default Client Scopes” and “Assigned Optional Client Scopes” in Keycloak. This allows a client to automatically get the scope when hitting the token endpoint, vs explicitly requesting the scope.

In a Dynamic Client Registration request, is it possible to control whether whether the scope is automatically applied vs whether a client has to request that scope?

{
  "client_name": "sample",
  "token_endpoint_auth_method": "private_key_jwt",
  "token_endpoint_auth_signing_alg": "HS256",
  "jwks_uri": "URI of the JSON web key set",
  "redirect_uris": ["http://localhost"],
  "response_types": ["none"],
  "grant_types": ["client_credentials"],
  "subject_type": "public",
  "scope": "default optional"
}

jangaraj · January 13, 2022, 2:18pm

I bet you are using openid-connect provider for client registration -
Doc: Securing Applications and Services Guide

Unfortunately, OIDC client model doesn’t have concept of default/optional scopes, only scopes: keycloak/OIDCClientRepresentation.java at main · keycloak/keycloak · GitHub

I would use default provider, where you can use Keycloak client model - it has those properties for the config:

    "defaultClientScopes": [],
    "optionalClientScopes": []

See: keycloak/ClientRepresentation.java at main · keycloak/keycloak · GitHub

Topic		Replies	Views
Client Registration with Signed JWT Getting advice admin-console , oidc	2	762	December 10, 2022
How to setup Dynamic Client Registration [insufficient_scope] Configuring the server oidc	5	5441	January 30, 2023
Create a scope and assign it to a client using the keycloak admin Java SDK	6	1073	March 13, 2024
How to echo the allowed scopes in the Dynamic Client Registration response? Getting advice	1	1056	October 2, 2020
Dynamic Client registration with Token Exchange	6	1183	October 3, 2021

Dynamic Client Registration: assigned default vs optional scopes

Related topics