[keycloak-user] Querying permissions of the Policy API always empty
Geoffrey Cleaves
geoff at opticks.io
Sun Nov 18 09:51:14 EST 2018
I now see that I do get a list of *UMA permissions* when using the Resource
Owner Password Credentials Grant Type. I has wrongly expected to see the
permissions I had created as admin via the Admin Console.
Shouldn't it be possible for the resource server's service account to view
and create UMA permissions without needing to know the end users'
credentials for the Resource Owner Password Credentials Grant Type? Or
perhaps that is the whole point of UMA...
On Sun, 18 Nov 2018 at 12:27, Geoffrey Cleaves <geoff at opticks.io> wrote:
> Hi,
>
> I'm sending GET requests to http://${host}:${post}/auth/realms/${realm}/authz/protection/uma-policy
> but only get an empty array. I have a permission/policy assigned to
> hundreds of resources belonging to dozens of users and some resources owned
> by the resource server itself. Reading the docs
> <https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_authorization_uma_policy_api>,
> I expect to be able to get a list of all permissions or query by name.
>
> Perhaps I am misunderstanding this:
>
> This API is protected by a bearer token that must represent a consent
> granted by the user to the resource server to manage permissions on his
> behalf. The bearer token can be a regular access token obtained from the
> token endpoint using:
>
>
> - Resource Owner Password Credentials Grant Type
> - Token Exchange, in order to exchange an access token granted to
> some client (public client) for a token where audience is the resource
> server
>
> But I don't think so because if my token were wrong I'd get a 401 or 403
> instead of 200 with an empty array. In any case I've tried with Client
> Credentials Grant and Resource Owner Password Credentials Grant Type.
>
> [image: Screen Shot 2018-11-18 at 12.19.25.png]
> curl -D - -X GET \
> https://.../authz/protection/uma-policy \
> -H 'Authorization: Bearer eyJh' \
> -H 'Cache-Control: no-cache' \
> -H 'Postman-Token: deb09a7a-0499-430f-8164-3097e5ac145d' \
> -H 'cache-control: no-cache'
>
> HTTP/1.1 200 OK
> Server: nginx/1.11.10
> Date: Sun, 18 Nov 2018 11:23:41 GMT
> Content-Type: application/json
> Content-Length: 2
> Connection: keep-alive
> Cache-Control: no-cache
> []
>
> Any advise?
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screen Shot 2018-11-18 at 12.19.25.png
Type: image/png
Size: 140604 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181118/806b81ab/attachment-0001.png
More information about the keycloak-user
mailing list