[keycloak-user] Requires uma_protection scope

Geoffrey Cleaves geoff at opticks.io
Wed Nov 21 09:53:20 EST 2018 

My tokens look like this. What if you "reboot", create a new client and
test it there.

{
    "jti": "5c5a8",
    "exp": 1542812146,
    "nbf": 0,
    "iat": 1542811846,
    "iss": "https://fblah",
    "aud": [
        "account",
        "opticks-rs"
    ],
    "sub": "dee58194-6b2b31d",
    "typ": "Bearer",
    "azp": "rs",
    "auth_time": 0,
    "session_state": "a96958c1e5",
    "preferred_username": "service-account-rs",
    "email": "service-account-rs at placeholder.org",
    "email_verified": false,
    "acr": "1",
    "realm_access": {
        "roles": [
            "offline_access",
            "uma_authorization"
        ]
    },
    "resource_access": {
        "account": {
            "roles": [
                "manage-account",
                "manage-account-links",
                "view-profile"
            ]
        },
        "opticks-rs": {
            "roles": [
                "uma_protection"
            ]
        }
    },
    "scope": "email profile",
    "clientId": "rs",
    "clientHost": "0.0.0.0",
    "clientAddress": "0.0.0.0",
    "client_id": "rs",
    "username": "service-account-rs",
    "active": true
}

On Wed, 21 Nov 2018 at 15:41, Julien Deruere <deruere.julien at gmail.com>
wrote:

> This is all I see
>
> {
>   "jti": "6cfa6dd3-a3dd-4f5b-8560-f91832e7a35f",
>   "exp": 1542811409,
>   "nbf": 0,
>   "iat": 1542811109,
>   "iss": "http://my-keycloak:8080/auth/realms/my-realm",
>   "sub": "055a376e-d8eb-49cf-9d5f-a83226448131",
>   "typ": "Bearer",
>   "azp": "my-api-gateway",
>   "auth_time": 0,
>   "session_state": "10853e1d-ff27-4f4c-b9e1-31339774c5e4",
>   "acr": "1",
>   "scope": "profile email",
>   "clientId": "my-api-gateway",
>   "clientHost": "172.19.0.1",
>   "email_verified": false,
>   "preferred_username": "service-account-my-api-gateway",
>   "clientAddress": "172.19.0.1",
>   "email": "service-account-my-api-gateway at placeholder.org"
> }
>
> Le mer. 21 nov. 2018 à 05:57, Pedro Igor Silva <psilva at redhat.com> a
> écrit :
>
>> Yes, you should see a claim like this:
>>
>> "resource_access": {
>>     "{client_id}": {
>>       "roles": [
>>         "{client_role}"
>>       ]
>>     }
>>   }
>>
>> On Tue, Nov 20, 2018 at 5:22 PM Geoffrey Cleaves <geoff at opticks.io>
>> wrote:
>>
>>> I understand that the client is supposed to have the role given the
>>> Admin Console settings, but does the token show that role when you
>>> introspect it?
>>>
>>> On Tue, Nov 20, 2018, 18:02 Julien Deruere <deruere.julien at gmail.com
>>> wrote:
>>>
>>>> That's exactly what I did/checked. That's why I can't figure out why
>>>> it's
>>>> not working :(
>>>>
>>>> Le mar. 20 nov. 2018 11:53, Pedro Igor Silva <psilva at redhat.com> a
>>>> écrit :
>>>>
>>>> > This role should be a client role. For instance, if you are trying to
>>>> > create resources for C1 the service account must be granted with
>>>> client
>>>> > role C1/uma-protection. See screenshot attached.
>>>> >
>>>> > Regards.
>>>> >
>>>> > On Tue, Nov 20, 2018 at 2:01 PM Julien Deruere <
>>>> deruere.julien at gmail.com>
>>>> > wrote:
>>>> >
>>>> >> In this case I'm using protection API:
>>>> >>
>>>> >> curl -X POST \
>>>> >>     -H "Content-Type: application/x-www-form-urlencoded" \
>>>> >>     -d
>>>> 'grant_type=client_credentials&client_id=${client_id}&client_secret=${client_secret}'
>>>> \
>>>> >>     "
>>>> http://localhost:8080/auth/realms/${realm_name}/protocol/openid-connect/token
>>>> "
>>>> >>
>>>> >>
>>>> >> I'm asking a token as a client, not as a user. And I checked, my
>>>> client
>>>> >> has the uma_protection role in Service Account Role.
>>>> >>
>>>> >> I don't know where I'm wrong?
>>>> >>
>>>> >> Le mar. 20 nov. 2018 10:54, Pedro Igor Silva <psilva at redhat.com> a
>>>> >> écrit :
>>>> >>
>>>> >>> Hi,
>>>> >>>
>>>> >>> You need to grant uma_protection client scope (it should be
>>>> available as
>>>> >>> one of the roles associated with your resource server) to the user
>>>> to which
>>>> >>> you are issuing tokens for.
>>>> >>>
>>>> >>> On Tue, Nov 20, 2018 at 1:52 PM Julien Deruere <
>>>> deruere.julien at gmail.com>
>>>> >>> wrote:
>>>> >>>
>>>> >>>> Any update on this?
>>>> >>>> I got the exact same message when using POSTMAN :
>>>> >>>>
>>>> >>>> I fist do this (with grant_type=client_credentials):
>>>> >>>>
>>>> http://localhost:8080/auth/realms/sg2b/protocol/openid-connect/token
>>>> >>>>
>>>> >>>> And then this with the token I received:
>>>> >>>> GET
>>>> >>>>
>>>> >>>>
>>>> http://localhost:8080/auth/realms/sg2b/authz/protection/resource_set?type=zone
>>>> >>>> Which answer me this:
>>>> >>>> {
>>>> >>>>     "error": "invalid_scope",
>>>> >>>>     "error_description": "Requires uma_protection scope."
>>>> >>>> }
>>>> >>>>
>>>> >>> _______________________________________________
>>>> >>>> keycloak-user mailing list
>>>> >>>> keycloak-user at lists.jboss.org
>>>> >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>> >>>>
>>>> >>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>

More information about the keycloak-user mailing list