[keycloak-user] /authz/protection/permission/ticket usage?

Ulrik Sjölin ulrik.sjolin at gmail.com
Fri Nov 9 04:15:07 EST 2018


Hello,

I have a question on how to use the API: /authz/protection/permission/ticket

I can call the endpoint successfully if I do the call with only ids:

curl --silent -X POST \
  http://${host}:${port}/auth/realms/${realm}/authz/protection/permission/ticket
\
  -H "Authorization: Bearer ${service_access_token}" \
  -H "Content-Type: application/json" \
  -d "{
        \"resource\":\"${resource_id}\",
        \"scope\":\"40065a35-02d5-4db9-be46-02566cf7a666\",
        \"requester\":\"79ae9a5a-0304-41ec-b721-d57a09d419cb\",
        \"granted\":\"true\"
    }”

It would however be a lot more workable for me if I could use names like:

curl --silent -X POST \
  http://${host}:${port}/auth/realms/${realm}/authz/protection/permission/ticket
\
  -H "Authorization: Bearer ${service_access_token}" \
  -H "Content-Type: application/json" \
  -d "{
        \"resource\":\"${resource_id}\",
        \"scope\":\”Read\",
        \"requester\":\”alice\",
        \"granted\":\"true\"
    }”

But when I do this I get:

{"error":"invalid_scope","error_description":"Scope [Read] is invalid”}
{"error":"invalid_permission","error_description":"Requester does not
exists in this server as user.”}

Looking at the code there seems to be lookups from names to id, but
for some reason it fails. What
am I doing wrong? Any help is greatly appreciated.

Best Regards,

Ulrik Sjölin



More information about the keycloak-user mailing list