diff --git a/infra/values/base/keycloak-values.yaml b/infra/values/base/keycloak-values.yaml index 48b381a..a7de674 100644 --- a/infra/values/base/keycloak-values.yaml +++ b/infra/values/base/keycloak-values.yaml @@ -470,9 +470,8 @@ extraDeploy: publicClient: false, redirectUris: .redirectUris, webOrigins: .webOrigins, - defaultClientScopes: .defaultClientScopes, protocolMappers: (.protocolMappers // []) - }') + } + if .defaultClientScopes then {defaultClientScopes: .defaultClientScopes} else {} end') # Check if client already exists EXISTING=$(curl -s -H "Authorization: Bearer ${TOKEN}" \ @@ -510,6 +509,32 @@ extraDeploy: | jq -r '.[0].id') fi + # Assign default client scopes (KC REST API ignores defaultClientScopes in POST/PUT body) + REQUESTED_SCOPES=$(echo "$CLIENT_JSON" | jq -r '.defaultClientScopes // [] | .[]' 2>/dev/null) + if [ -n "$REQUESTED_SCOPES" ]; then + # Fetch all realm client scopes once + ALL_SCOPES=$(curl -s -H "Authorization: Bearer ${TOKEN}" \ + "${KEYCLOAK_URL}/admin/realms/${REALM}/client-scopes") + + echo "$REQUESTED_SCOPES" | while read -r SCOPE_NAME; do + [ -z "$SCOPE_NAME" ] && continue + SCOPE_ID=$(echo "$ALL_SCOPES" | jq -r --arg name "$SCOPE_NAME" '.[] | select(.name == $name) | .id // empty') + if [ -z "$SCOPE_ID" ]; then + echo " WARNING: Scope '${SCOPE_NAME}' not found in realm, skipping" + continue + fi + SC_CODE=$(curl -s -o /dev/null -w "%{http_code}" \ + -H "Authorization: Bearer ${TOKEN}" \ + -X PUT \ + "${KEYCLOAK_URL}/admin/realms/${REALM}/clients/${CLIENT_UUID}/default-client-scopes/${SCOPE_ID}") + if [ "$SC_CODE" = "204" ] || [ "$SC_CODE" = "200" ]; then + echo " Assigned scope '${SCOPE_NAME}'" + else + echo " WARNING: Failed to assign scope '${SCOPE_NAME}' (HTTP ${SC_CODE})" + fi + done + fi + # Sync credentials to target namespace sync_credentials "$CLIENT_ID" "$CLIENT_UUID" "$CRED_NS" "$CRED_NAME" "$CRED_ID_KEY" "$CRED_SECRET_KEY"