[keycloak-user] Role based Policy, User token forbidden from entitlement API

Sven Thoms sven.thoms at gmail.com
Fri Mar 24 12:46:19 EDT 2017


I have users in my realm that I have assigned realm roles to:

realm roles: Master, Apprentice

one such user is

test_user
roles: uma_authorization, Apprentice

When I enable authorization on a client and
1. add a resource besides the default resource to it, say "Second Resource"
2. under Policies - Roles a role-based policy referencing the realm role
Apprentice that my user belongs to

Using the test user’s acess_token gotten from the realm token endpoint:

curl -X POST \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "client_id=admin-cli&username=test_user&password=password&grant_type=password"
\
https://mykeycloak.domain/auth/realms/myrealm/protocol/openid-connect/token

and checking the entitlement API response for the client’s id and using the
bearer access token of the user as well as the payload for the Second
Resource, I always get status code forbidden

curl -v -X POST \
-H "Content-Type:application/json" \
-H 'Authorization: bearer userbearerrertoken' \
-d '{"permissions":[{"resource_set_name:"Second Resource"}]}' \
https://mykeycloak.domainauth/realms/myrealm/authz/entitlement/my_client_id

For the Default Resource, all is fine and I get back an RPT.

Am I missing something regarding the user’s needed roles? According to the
documentation, the role-level permission for the Second Resource should
lead to the user being authorized to access the second resource if any
realm role in a role-based permission for a resource holds.

I am using keycloak 2.5.1.


More information about the keycloak-user mailing list