Authenticating with 'client_credentials' throws 400 error 'invalid_scope'
ariestikto opened this issue · 7 comments
Describe the bug
Calling kcAdminClient.auth() with grantType: 'client_credentials' throws 400 error 'invalid_scope'
To Reproduce
Steps to reproduce the behavior:
- run kcAdminClient.auth()
await kcAdminClient.auth({
clientSecret: xxx,
grantType: 'client_credentials',
clientId: xxx
});
- It'll throw 400 error with message
{
error: 'invalid_scope',
error_description: 'Invalid scopes: '
}
Expected behavior
Keycloak should authorise the client. In version 1.13.0 its working as expected, upgrading to 1.14.2 show this behaviour
Enviroment (please complete the following information):
- OS: Ubuntu 19.04
- Keycloak Version: 10.0.2
- Library Version 1.14.2
Additional context
Hasn't tried username + password authentication
The culprit seems to be this
977e232#diff-79c8101c1f2ac59b33a8d000f8f14e6182042baf54f79df35d2151d3b4064405R49
They're adding scope empty and that seems to be breaking things
If I remove the scope param, I get a proper token
@ariestikto what did so far to get this working for me and to get unblocked was to add offlineToken: true to my credentials object like so:
And that seemed to do the trick, it includes a proper scope value instead of an empty one
I added a PR in the meantime #100 as an attempt to get this sorted out.
Hi @danazkari, that works thanks! well done for spotting the issue and thanks for the PR as well
My absolute pleasure, this is a pretty good project and I like contributing whenever I can to open source projects I use daily, this was a very low hanging fruit, hopefully the fix makes sense
Thanks @danazkari also going back to version 1.14.1 would be an option, will make a 1.14.3 asap