Granted scope isn't saved for federated users


I have a Keycloak realm with a mixed user base.
Some users are native (native users), some are provided trough a custom User Storage SPI implementation (federated users).

When I perform an OIDC login, Keycloak asks to approve 4 scopes (test-client, profile, email, roles).
The request is performed with scope openid. Keycloak transforms it to these four scopes.
test-client is the client name. There is no actual client scope with this name showing in the admin UI.

Using a native user everything works fine. I approve and the login completes successfully.

Having a look at the user consents confirms that everything is ok.
All 4 scopes show up in the users corresponding consent entry.

Using a federated user the login fails with the following message.

[invalid_scope] Client no longer has requested consent from user

Looking at the users consent we see that the test-client scope is not being added.
enter image description here

Trying to exchange the code for a token, produces a fitting error in the Keycloak log

11:06:31,964 WARN  [] (default task-10) type=CODE_TO_TOKEN_ERROR, realmId=torment, clientId=test-client, userId=f:ff4c66e5-2a6f-465c-8418-200648a49973:dfb_user, ipAddress=, error=not_allowed, grant_type=authorization_code, code_id=418dfa66-b4c8-4481-b46d-ceac97e65b39, client_auth_method=client-secret

All further login tries will ask to approve only the missing test-client scope, but it will never be added to the consent.


  1. Why does this happen?
  2. How do I make it work?