[keycloak-user] Requires uma_protection scope

Pedro Igor Silva psilva at redhat.com
Wed Nov 21 05:57:27 EST 2018 

Yes, you should see a claim like this:

"resource_access": {
    "{client_id}": {
      "roles": [
        "{client_role}"
      ]
    }
  }

On Tue, Nov 20, 2018 at 5:22 PM Geoffrey Cleaves <geoff at opticks.io> wrote:

> I understand that the client is supposed to have the role given the Admin
> Console settings, but does the token show that role when you introspect it?
>
> On Tue, Nov 20, 2018, 18:02 Julien Deruere <deruere.julien at gmail.com
> wrote:
>
>> That's exactly what I did/checked. That's why I can't figure out why it's
>> not working :(
>>
>> Le mar. 20 nov. 2018 11:53, Pedro Igor Silva <psilva at redhat.com> a écrit
>> :
>>
>> > This role should be a client role. For instance, if you are trying to
>> > create resources for C1 the service account must be granted with client
>> > role C1/uma-protection. See screenshot attached.
>> >
>> > Regards.
>> >
>> > On Tue, Nov 20, 2018 at 2:01 PM Julien Deruere <
>> deruere.julien at gmail.com>
>> > wrote:
>> >
>> >> In this case I'm using protection API:
>> >>
>> >> curl -X POST \
>> >>     -H "Content-Type: application/x-www-form-urlencoded" \
>> >>     -d
>> 'grant_type=client_credentials&client_id=${client_id}&client_secret=${client_secret}'
>> \
>> >>     "
>> http://localhost:8080/auth/realms/${realm_name}/protocol/openid-connect/token
>> "
>> >>
>> >>
>> >> I'm asking a token as a client, not as a user. And I checked, my client
>> >> has the uma_protection role in Service Account Role.
>> >>
>> >> I don't know where I'm wrong?
>> >>
>> >> Le mar. 20 nov. 2018 10:54, Pedro Igor Silva <psilva at redhat.com> a
>> >> écrit :
>> >>
>> >>> Hi,
>> >>>
>> >>> You need to grant uma_protection client scope (it should be available
>> as
>> >>> one of the roles associated with your resource server) to the user to
>> which
>> >>> you are issuing tokens for.
>> >>>
>> >>> On Tue, Nov 20, 2018 at 1:52 PM Julien Deruere <
>> deruere.julien at gmail.com>
>> >>> wrote:
>> >>>
>> >>>> Any update on this?
>> >>>> I got the exact same message when using POSTMAN :
>> >>>>
>> >>>> I fist do this (with grant_type=client_credentials):
>> >>>> http://localhost:8080/auth/realms/sg2b/protocol/openid-connect/token
>> >>>>
>> >>>> And then this with the token I received:
>> >>>> GET
>> >>>>
>> >>>>
>> http://localhost:8080/auth/realms/sg2b/authz/protection/resource_set?type=zone
>> >>>> Which answer me this:
>> >>>> {
>> >>>>     "error": "invalid_scope",
>> >>>>     "error_description": "Requires uma_protection scope."
>> >>>> }
>> >>>>
>> >>> _______________________________________________
>> >>>> keycloak-user mailing list
>> >>>> keycloak-user at lists.jboss.org
>> >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >>>>
>> >>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

More information about the keycloak-user mailing list