[keycloak-user] Getting Permissions from RPT

Chandran Soundrapandian soundrachan at gmail.com
Sun Jan 28 01:12:14 EST 2018 

Hi,

I am evaluating keycloak and trying out the following scenario:

The system has a resource
1. "Contact"

and  two client roles
1. Admin
2. Trainee

The "Admin role" can create, view, edit and delete the "contact resource"
The "Trainee Role" can create and view "contact resource"

Followed the following steps to setup the resource server:

1. Created a resource "Contact"
2. Created scopes "create, view, edit and delete"
3. Created role based policy with Admin Role - "Contact Admin Policy"
4. Created role based policy with Trainee Role - "Contact Trainee Policy"
4. Created Scope based permission "Contact Admin Permission" with all the
scopes (Create, View, Edit, Delete) and associated it the "contact Admin
policy"
5. Created Scope based permission "Contact Trainee Permission" with create
and view scopes and associated it with the "Contact Trainee Policy"

After this setup, using the following Authz client code, trying to display
the permission associated with the user

AuthzClient authzClient = AuthzClient.create();

String accessToken = authzClient.obtainAccessToken("UserName",
"UserPassword").getToken();

EntitlementResponse response =
authzClient.entitlement(accessToken).getAll("Client ID");
String rpt = response.getRpt();

TokenIntrospectionResponse requestingPartyToken =
authzClient.protection().introspectRequestingPartyToken(rpt);

System.out.println("Token status is: " + requestingPartyToken.getActive());
System.out.println("Permissions granted by the server: ");

for (Permission granted : requestingPartyToken.getPermissions()) {
    System.out.println(granted);
}

For admin I get:

Permission {id=778e76d4-dc06-4e98-a213-fd7f22975ab7, name=Contact,
scopes=[Contact:Edit, Contact:Delete]}

where as the expected is:

Permission {id=778e76d4-dc06-4e98-a213-fd7f22975ab7, name=Contact,
scopes=[Contact:Create, Contact:View, Contact:Edit, Contact:Delete]}



For Trainee I get
- Nothing

where as the expected is:

Permission {id=778e76d4-dc06-4e98-a213-fd7f22975ab7, name=Contact,
scopes=[Contact:Create, Contact:View]}

Would you please let me know what I am doing wrong or how to setup
resource server to get the expected output.

Thanks
-Chandran
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ContactTest-authz-config.json
Type: application/json
Size: 2585 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180128/f003c57a/attachment-0001.bin

More information about the keycloak-user mailing list