Error when getting token using client scopes (works on Keycloak v8/9 but not on v10)

Hi,
I am working on the issue we have with Ovirt Engine + Keycloak integration. It all works well with Keycloak 8/9 but not with 10.
I am trying to figure out what actually was changed with 10 that affected the area of obtaining token and scope validation in particular.

{"error_description":"Cannot authenticate user Invalid scopes: ovirt-app-api ovirt-ext=revoke:revoke-all ovirt-ext=token-info:authz-search ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate ovirt-ext=token:password-access.","error":"access_denied"}

Perhaps it is a misconfiguration on our side but, frankly speaking, I have no clue how identify it.
I have all the details put under this Bugzilla ticket

The call is ‘proxied’ via ovirt engine application but eventually hits:
https://keycloak.example.com/auth/realms/master/protocol/openid-connect/token

Any help/ideas greatly appreciated.

I’m having similar issues going from 9 to 10.

In my case wherever a scope is requested that Keycloak doesn’t know about it seems that

  • Keycloak 9 ignores the unknown requested scope
  • Keycloak 10 rejects the unknown requested scope with an invalid_scope response

Both behaviours seem valid under the spec

Section 3.3 includes the following statement

The authorization server MAY fully or partially ignore the scope
requested by the client, based on the authorization server policy or
the resource owner’s instructions. If the issued access token scope
is different from the one requested by the client, the authorization
server MUST include the “scope” response parameter to inform the
client of the actual scope granted.

And invalid_scope is defined throughout the document as

    invalid_scope
         The requested scope is invalid, unknown, or malformed.

Is there a configuration option out there for 10 to choose whether unknown scopes are rejected as invalid or ignored (as Keycloak 9 did)? That would fit with the “based on the authorization server policy or the resource owner’s instructions” and allow Keycloak users to set that policy.

Similarly, any help much appreciated.

IMHO there is no option to ignore unknown scopes.

Keycloak ticket: https://issues.redhat.com/browse/KEYCLOAK-8071
Commit: https://github.com/keycloak/keycloak/commit/cbab159aa87ca5e3443b3e87fdbf8de40542d1d3

Only proper configuration of requested scope should be valid solution.

Ideally it should be feature flagged to decide whether to ignore invalid scope or not.

1 Like