How to setup Dynamic Client Registration [insufficient_scope]

Configuring the server
1

Hi there,

I’m looking for some help getting Dynamic Client Registration working on our Keycloak deployment. I’ve spent the last few days trying various things on the dashboard, but haven’t had much luck.

As of this writing, all of my requests are being rejected with a 403 due to {"error":"insufficient_scope","error_description":"Forbidden"}. I do not understand what scope is required that is causing this problem.

I’m hoping someone has seen this insufficient_scope problem before, or can at least point me to something detailing the correct way to set up Dynamic Client Registration.

Thanks,
Zach

Goal

In one of my realms, I want to be able to register a new client using an existing client’s credentials via Dynamic Client Registration.

Problem

All Dynamic Client Registration requests from my existing client are rejected with a 403 and error {"error":"insufficient_scope","error_description":"Forbidden"}. I cannot find which scopes are needed/where they need to be configured.

What I’ve Tried

For the existing client flow:

  1. In my realm, I’ve created a new client with Access Type of confidential (multiple flows enabled)
  2. Created a new client flow called create-client and assigned it with the client
  3. Client scope is set to Full Scope Allowed
  4. Realm → Client Registration → Client Registration Policies → Allowed Client Scopes → set to create-client
  5. Generate bearer token for the client, with scopes create-client openid
  6. Make Dynamic Client Registration to Keycloak endpoint /auth/realms/<realm>/clients-registrations/default with a body of
{
    "clientId": "testing_create_client"
}
  1. Get a 403 response with the following body
{
    "error": "insufficient_scope",
    "error_description": "Forbidden"
}

Note: I see the same result when using /auth/realms/<realm>/clients-registrations/openid-connect and its corresponding JSON format.

I’ve also tried using an Initial Access Token, created on the dashboard. Unlike the client credentials, this method is rejected with a 401. In the response headers, I get a message telling me that my keycloak doesn’t support HS256, even though it generated the token?

WWW-Authenticate: Bearer error="invalid_token", error_description="Unsupported algorithm of HS256"
1 Like
2

We figured it out. Here’s what needed to be done:

  1. On the dashboard, go to Clients and select the client you want to give permissions client creation
  2. Go to the Service Account Roles tab at the top
  3. In the client-roles drop down, search for realm-management
  4. Assign the create-client role
  5. Try your request again

There are no special scopes that need to be added during the request - this satisfies the scope that “insufficient_scope” is referring to.

3

Hi!

Im still having the same problem. Ive tried to do all those steps, but I recived a 403 with the ‘error description’: Policy ‘Trusted Hosts’ rejected request to client-registration service. details: Host not trusted

How can I manage this, to give permission to an application create a client dynamically?

4

I’m using Keycloak 19.0 and I didin’t know how to assign the new flow to an existent client.
Another question: If we are trying to create clients in DCR, why do we need to create a client manually?

Thanks and regards,

5

Hi everyone,

i seem to have the same issues as thiago_aor.
I know that keycloak 16 had a way to configure trusted hosts but i can not find it in keycloak 20.

Can somebody help or point us to a documentation?

Thanks!

6

Ok so my fix was to use the old UI.
Realm Settings > Themes > Admin Console Theme > Keycloak (then make a re login).
After that u can do all the necessary stuff under Realm Settings > Client Registration.