[keycloak-user] RPT endpoint responds unexpectedly for resources created with an explicit _id
Geoffrey Cleaves
geoff at opticks.io
Tue Nov 6 07:13:03 EST 2018
The token endpoint sends an unexpected response while using grant_type
urn:ietf:params:oauth:grant-type:uma-ticket and a ticket with permissions
to a resource created via the resource UMA endpoint that has an explicit
_id.
When access is denied, endpoint sends a HTTP 400 and invalid_resource /
Resource with id [resource2] does not exist. instead of sending 403. The
same test but using a resource which has the Keycloak-assigned _id returns
403 as expected.
I believe the key point here is that the resource has been created using
the resource_set endpoint and had the _id set explicitly instead of letting
Keycloak assign the id.
Could the issue be related the fact that my Keycloak Docker install began
as 4.3.0.Final with the database being Postgres, and then I upgraded
Keycloak to 4.5.0.Final by downloading the latest Docker image? Could any
DB migrations have been missed which could cause this issue?
To reproduce the issue, try the following: Create resources rA and rB via
the resource_set endpoint. When creating rB, include a explicit _id. Then,
using an auth_token which does not have access to rB, try getting a RPT
which includes permissions to rB. Token end point will respond with 400
resource_not_found. But in fact the resource exists.
I have opened Jira ticket: https://issues.jboss.org/browse/KEYCLOAK-8729
More information about the keycloak-user
mailing list