-
Notifications
You must be signed in to change notification settings - Fork 325
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
keycloak_openid_client_optional_scopes does not remove scopes on first apply #498
Comments
I wonder if the KC API returns a representation of the object that was just created? If yes, then perhaps a general solution that would work for multiple resource types would be to have some central logic to test if the returned resource equals the requested resource, and auto-apply that resource a second time if it appears the server added/customized the creation request based on server-side defaults. It's a fairly common problem with REST APIs that they expand a POST request and you need a followup PUT/PATCH to get what you actually requested. |
This was a deliberate decision I made back when creating these resources. At the time, it felt weird to me that a "create" for a resource could result in a potentially destructive action (a client scope being removed from the list). However, I think I've changed my mind on this, and I agree that it would be better (and more CI friendly) for this resource to fully reconcile on both create and update. We already do this for the If someone is interested in contributing this change, I'd be happy to review and merge a PR for it. I think it is a relatively simple change - we'd want to remove the create function for this resource, rename the update function to something like Otherwise, I can try to fix this when I have some spare time. |
Hello @mrparkers. |
Closed via #594 |
The keycloak_openid_client_optional_scopes resource does not apply the list exactly as described on the first run of a new environment. It does add the elements listed, but does not remove the not listed default entries. This makes it so that following example requires two applies (of which one a failed one) to actually get the wanted situation: move the offline_access scope from the optional to the default scope.
The text was updated successfully, but these errors were encountered: