Hi there,
I’m looking for some help getting Dynamic Client Registration working on our Keycloak deployment. I’ve spent the last few days trying various things on the dashboard, but haven’t had much luck.
As of this writing, all of my requests are being rejected with a 403 due to {"error":"insufficient_scope","error_description":"Forbidden"}
. I do not understand what scope is required that is causing this problem.
I’m hoping someone has seen this insufficient_scope
problem before, or can at least point me to something detailing the correct way to set up Dynamic Client Registration.
Thanks,
Zach
Goal
In one of my realms, I want to be able to register a new client using an existing client’s credentials via Dynamic Client Registration.
Problem
All Dynamic Client Registration requests from my existing client are rejected with a 403 and error {"error":"insufficient_scope","error_description":"Forbidden"}
. I cannot find which scopes are needed/where they need to be configured.
What I’ve Tried
For the existing client flow:
- In my realm, I’ve created a new client with
Access Type
ofconfidential
(multiple flows enabled) - Created a new client flow called
create-client
and assigned it with the client - Client scope is set to
Full Scope Allowed
- Realm → Client Registration → Client Registration Policies → Allowed Client Scopes → set to
create-client
- Generate bearer token for the client, with scopes
create-client openid
- Make Dynamic Client Registration to Keycloak endpoint
/auth/realms/<realm>/clients-registrations/default
with a body of
{
"clientId": "testing_create_client"
}
- Get a 403 response with the following body
{
"error": "insufficient_scope",
"error_description": "Forbidden"
}
Note: I see the same result when using
/auth/realms/<realm>/clients-registrations/openid-connect
and its corresponding JSON format.
I’ve also tried using an Initial Access Token, created on the dashboard. Unlike the client credentials, this method is rejected with a 401. In the response headers, I get a message telling me that my keycloak doesn’t support HS256, even though it generated the token?
WWW-Authenticate: Bearer error="invalid_token", error_description="Unsupported algorithm of HS256"