From fb2bbe3452d023251db2736638a08d66e3c4ab4f Mon Sep 17 00:00:00 2001 From: InvictusMB Date: Thu, 29 Jan 2026 19:57:18 +0200 Subject: [PATCH] Keycloak requires "offline_access" scope as well, unless it is forced by client or realm settings --- Enabling-SSO-support-using-OpenId-Connect.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/Enabling-SSO-support-using-OpenId-Connect.md b/Enabling-SSO-support-using-OpenId-Connect.md index 65f50e5..2a651b8 100644 --- a/Enabling-SSO-support-using-OpenId-Connect.md +++ b/Enabling-SSO-support-using-OpenId-Connect.md @@ -101,12 +101,15 @@ At the realm level Or for a specific client in `Clients / Client details / Advanced / Advanced settings` you can find `Access Token Lifespan` and `Client Session Idle/Max`. -Server configuration, nothing specific just set: +Server configuration: - `SSO_AUTHORITY=https://${keycloak_domain}/realms/${realm_name}` +- `SSO_SCOPES="email profile offline_access"` - `SSO_CLIENT_ID` - `SSO_CLIENT_SECRET` +**_NOTE:_** `offline_access` scope can be assigned by default at the client level in `Clients / Client details / Client scopes` or at the realm level in `Realm settings / Client scopes`, otherwise it must be requested explicitly via `SSO_SCOPES` in order for refresh tokens to work. + ### Testing If you want to run a testing instance of Keycloak the Playwright [docker-compose](https://github.com/dani-garcia/vaultwarden/blob/main/playwright/docker-compose.yml) can be used.