Issue on userinfo endpoint at keycloak 20+

I updated the keycloak to 20.0.1 yesterday, I could not get the userinfo endpoint information.

I did the same thing like 19.0.3 but 403 forbidden and the docker show me USER_INFO_REQUEST_ERROR.

docker message:
2022-11-17 01:36:33,729 WARN [] (executor-thread-0) type=USER_INFO_REQUEST_ERROR, realmId=5e518891-d25d-4cca-8828-f924d6e6c5c3, clientId=null, userId=null, ipAddress=, error=access_denied, auth_method=validate_access_token

At the same time , I do the same things on 19.0.3 but it works

Anything I missed on this endpoint?

1 Like


I got the same issue today. Thanks to you’re message I started looking in the release notes and found a reference to this UserInfo endpoint not fully standards compliant by dteleguin · Pull Request #14237 · keycloak/keycloak · GitHub
Basically userinfo is now only allowed when you have the openid scope in your token.
You should also see a message in the logs saying it is missing.

So I added it to my client as a default scope and it works fine now.

Hope this helps.


I am the beginner of keycloak, how can i add this scope to my client?
Many thanks.

I’m a beginner myself. What I did is create the scope in the “client scopes” section


part 2:

And then in the client added it as default scope


@michielvandriessche I was able to get my Grafana community edition 8.5 with generic oauth integration working in keycloak 20 thanks to your explanation. It’s appreciated very much. Thank you!

I added openid on client scopes and assign to clients’ scope.
It works, many thanks!!!

I think it is enough to just add the scope=openid when you request the access token.


I also used it this way

Thank you !
Have the same problem and found your solution! Works perfectly

Adding scope=openid to the request parameters resolved this for me.

1 Like

Being with Keycloak 24, I had the same issue, I solved it by adding the client scope “openid”
But I had to check this option : Include in token scope