How to setup Dynamic Client Registration [insufficient_scope]

Hi there,

I’m looking for some help getting Dynamic Client Registration working on our Keycloak deployment. I’ve spent the last few days trying various things on the dashboard, but haven’t had much luck.

As of this writing, all of my requests are being rejected with a 403 due to {"error":"insufficient_scope","error_description":"Forbidden"}. I do not understand what scope is required that is causing this problem.

I’m hoping someone has seen this insufficient_scope problem before, or can at least point me to something detailing the correct way to set up Dynamic Client Registration.

Thanks,
Zach

Goal

In one of my realms, I want to be able to register a new client using an existing client’s credentials via Dynamic Client Registration.

Problem

All Dynamic Client Registration requests from my existing client are rejected with a 403 and error {"error":"insufficient_scope","error_description":"Forbidden"}. I cannot find which scopes are needed/where they need to be configured.

What I’ve Tried

For the existing client flow:

  1. In my realm, I’ve created a new client with Access Type of confidential (multiple flows enabled)
  2. Created a new client flow called create-client and assigned it with the client
  3. Client scope is set to Full Scope Allowed
  4. Realm → Client Registration → Client Registration Policies → Allowed Client Scopes → set to create-client
  5. Generate bearer token for the client, with scopes create-client openid
  6. Make Dynamic Client Registration to Keycloak endpoint /auth/realms/<realm>/clients-registrations/default with a body of
{
    "clientId": "testing_create_client"
}
  1. Get a 403 response with the following body
{
    "error": "insufficient_scope",
    "error_description": "Forbidden"
}

Note: I see the same result when using /auth/realms/<realm>/clients-registrations/openid-connect and its corresponding JSON format.

I’ve also tried using an Initial Access Token, created on the dashboard. Unlike the client credentials, this method is rejected with a 401. In the response headers, I get a message telling me that my keycloak doesn’t support HS256, even though it generated the token?

WWW-Authenticate: Bearer error="invalid_token", error_description="Unsupported algorithm of HS256"

We figured it out. Here’s what needed to be done:

  1. On the dashboard, go to Clients and select the client you want to give permissions client creation
  2. Go to the Service Account Roles tab at the top
  3. In the client-roles drop down, search for realm-management
  4. Assign the create-client role
  5. Try your request again

There are no special scopes that need to be added during the request - this satisfies the scope that “insufficient_scope” is referring to.