keycloak · mposolda · Jun 5, 2025 · Jun 4, 2025
@@ -8,16 +8,16 @@ Each OIDC client has a built-in _service account_. Use this _service account_ to
 .Prerequisites
 
 .Procedure
-. Click *Clients* in the menu.  
+. Click *Clients* in the menu.
 . Select your client.
 . Click the *Settings* tab.
 . Toggle <<_access-type, Client authentication>> to *On*.
-. Select *Service accounts roles*.
+. Select *Service accounts roles* checkbox to make sure it is enabled.
 . Click *Save*.
 . Configure your <<_client-credentials, client credentials>>.
-. Click the *Scope* tab.
-. Verify that you have roles or toggle *Full Scope Allowed* to *ON*.
-. Click the *Service Account Roles* tab
+. Click the *Client Scopes* tab, select the dedicated client scope (usually first client scope in the list, more details <<_client_scopes_dedicated,in this section>>) and select *Scope* tab of the client scope.
+. Verify that you have roles or toggle *Full Scope Allowed* to *ON*. Note that this switch is useful only for the development purposes and in the production, it is recommended to disable this switch and properly configure role scopes. The details about this switch are described in <<_role_scope_mappings, this section>> and in <<_oidc_token_role_mappings,this section>>.
+. Click the *Service Account Roles* tab of your client
 . Configure the roles available to this service account for your client.
 
 Roles from access tokens are the intersection of:
@@ -43,6 +43,16 @@ For example, the POST invocation to retrieve a service account can look like thi
    grant_type=client_credentials
 ----
 
+Note that the value of `cHJvZHVjdC1zYS1jbGllbnQ6cGFzc3dvcmQ=` used in the `Authorization` header is Base64 encoded value of clientId and clientSecret
+in the format prescribed by the `Authorization: Basic` header. In this example, the client ID is `product-sa-client` and the client secret was `password` and hence the value was obtained for example
+by this command in the Unix platform:
+[source,bash]
+----
+echo 'product-sa-client:password' | base64
+----
+Instead of using the header `Authorization: Basic`, it is also possible to send the credentials as parameters `client_id` and `client_secret` of the POST request. For other client credentials methods,
+the format of the parameters would be different as described above.
+
 The response would be similar to this https://datatracker.ietf.org/doc/html/rfc6749#section-4.4.3[Access Token Response] from the OAuth 2.0 specification.
 
 [source]
@@ -54,9 +64,10 @@ Cache-Control: no-store
 Pragma: no-cache
 
 {
-    "access_token":"2YotnFZFEjr1zCsicMWpAA",
-    "token_type":"bearer",
-    "expires_in":60
+    "access_token":"eyJhbGciOiJSUzI1NiIs...",
+    "token_type":"Bearer",
+    "expires_in":60,
+    "scope": "email profile"
 }
 ----