Closed
Description
Before reporting an issue
- I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
oidc
Describe the bug
Issue description:
-
It is possible to add fake-client-scope to client registration policy with allowed-client-templates
-
The registration of a client with such a scope should be rejected (not part of existing allowed client scope).
Version
Keycloak 26.2, nightly (from 2025-06-03)
Regression
- The issue is a regression
Expected behavior
Being able to use only valid client scopes when configuring client-registration policy OR client policy. At the same time, it can be good to consider dynamic client-scopes if they are enabled
Actual behavior
It is possible to use fake client scope
How to Reproduce?
- create a keycloak client registration policy with provider "allowed-client-templates"
- it is possible to add as allowed scope a new scope such as
fake-client-scope(which is not part of the realm client scope) and not available in the Allowed scope drop down list
===> Being able to add a dummy scope such as fake-client-scope does represent a bug.
===> The mitigation consist of accepting only existing realm client scopes, and discarding any new scope input.
Anything else?
No response