Default/OptionalClientScope support in keycloak operator

[Clément Martin]

Hi there,

Is it a known limitation of the keycloak operator that we cannot assign default or optional client scopes from the KeycloakClient object?

These fields are part of the CRD however they are simply ignored.

It seems while reconciling the KeycloakClient we never call the PUT /realms/{realm}/client/{client}/default-client-scopes/{clientScope} (resp. optional-client-scopes) which is the only way to assign default client scopes to a client.

Thanks,

Clement

[Ievgen Mykolenko]

Hi Clement,

thanks a lot for fixing it in the https://github.com/keycloak/keycloak-operator/pull/343

Cheers,
Ievgen

[Ievgen Mykolenko]

I have noticed strange behaviour though, after default client scopes are being explicitly deleted they are restored back after a while.
Did you notice same?

[Clément Martin]

Hi,

Nope I did not face the same behavior. 

I'll have a quick look in case I figure out an obvious cause.

[Ievgen Mykolenko]

Hi,

thanks for the answer!

I have figures out why this is happens and filed an issue: https://issues.redhat.com/browse/KEYCLOAK-18285
In the KC versions 13.0.0 and 13.0.1 (current latest) when client is saved assigned/optional default client scopes are reset to realms settings.

Since operator periodically syncs clients the state of assigned/optional default client scopes are reset and then later operator figures out that unwanted scopes are present and deletes those. And this seems to be in a cycle.

Best regards,
Ievgen