OIDC Client registration issue with Initial Access Token issued via a Service Account

[lbroudoux]

Hi there,

I've got a strange behavior regarding the dynamic registration of an OIDC client using Initial Access Token on Keycloak 26.3.0.

When accessing the Keycloak console as admin and managing my acme stream, I can create an Initial Access Token and then register a new Client using the following curl command:

curl -X POST http://localhost:8888/realms/acme/clients-registrations/openid-connect -H 'Authorization: Bearer <IAT>' -H 'Content-type: application/json' -d '{"redirect_uris": ["http://localhost:8888/*", "http://host.docker.internal:8888/*"], "client_name": "My Example Client", "token_endpoint_auth_method": "none", "logo_uri": "https://client.example.org/logo.png", "jwks_uri": "https://client.example.org/my_public_keys.jwks"}' -v

Everything works fine! 🎉

Now I'm trying to do the same thing, in an automated way using a Service Account. To be sure to not face privilege issue, I've assigned the realm-management realm-admin role to this service (I can restrict this later on).

Using this service account, I can retrieve an access token using:

curl -X POST http://localhost:8888/realms/acme/protocol/openid-connect/token -H 'Authorization: Basic <USERNAME:PASSWORD IN BASE64>' -H 'Accept: application/json' -d 'grant_type=client_credentials' -v

I can then create an Initial Access Token using:

curl -X POST http://localhost:8888/admin/realms/acme/clients-initial-access -H 'Authorization: Bearer <ACCESS_TOKEN>' -H 'Content-type: application/json' -d '{"expiration": 2, "count": 2}' -v

But when I'm registering a client using the same curl command as the one used with IAT delivered with the console, I now have:

{"error":"invalid_token","error_description":"Failed decode token"}

On the server side, I can only see this line in the logs:

keycloak-idp-1  | 2025-08-26 15:53:19,742 WARN  [org.keycloak.events] (executor-thread-7) type="CLIENT_REGISTER_ERROR", realmId="acme", realmName="acme", clientId="null", userId="null", ipAddress="192.168.65.1", error="invalid_token", reason="Failed decode token"

I've inspected the IAT (provided by the console and the service account) in tools like jwt.io but cannot see any differences on the headers and payload parts...

I've also turned DEBUG log level on the server side but cannot see any relevant logs (just a lot of ORM related traces).

Can someone please help and provide some guidance on how to further troubleshoot this?

[lbroudoux]

Just found my problem 😅

When creating the IAT via the UI, expiration is set in days. When using the API, expiration should be set to seconds! The issued IAT was immediately invalid ...

Changing to

curl -X POST http://localhost:8888/admin/realms/acme/clients-initial-access -H 'Authorization: Bearer <ACCESS_TOKEN>' -H 'Content-type: application/json' -d '{"expiration": 86400, "count": 2}' -v

saved my day ;-)