I have a Keycloak realm with a mixed user base.
Some users are native (native users), some are provided trough a custom User Storage SPI implementation (federated users).
When I perform an OIDC login, Keycloak asks to approve 4 scopes (test-client, profile, email, roles).
The request is performed with scope openid. Keycloak transforms it to these four scopes.
test-client is the client name. There is no actual client scope with this name showing in the admin UI.
Using a native user everything works fine. I approve and the login completes successfully.
Having a look at the user consents confirms that everything is ok.
All 4 scopes show up in the users corresponding consent entry.
Using a federated user the login fails with the following message.
[invalid_scope] Client no longer has requested consent from user
Trying to exchange the code for a token, produces a fitting error in the Keycloak log
11:06:31,964 WARN [org.keycloak.events] (default task-10) type=CODE_TO_TOKEN_ERROR, realmId=torment, clientId=test-client, userId=f:ff4c66e5-2a6f-465c-8418-200648a49973:dfb_user, ipAddress=127.0.0.1, error=not_allowed, grant_type=authorization_code, code_id=418dfa66-b4c8-4481-b46d-ceac97e65b39, client_auth_method=client-secret
All further login tries will ask to approve only the missing test-client scope, but it will never be added to the consent.
- Why does this happen?
- How do I make it work?