[keycloak-user] Requires uma_protection scope
Julien Deruere
deruere.julien at gmail.com
Wed Nov 21 09:58:34 EST 2018
Right, definitely something wrong with my client. I'll checkout.
{
"jti": "5c75799a-9e76-4802-8f71-ff20e72fea8c",
"exp": 1542812525,
"nbf": 0,
"iat": 1542812225,
"iss": "http://my-keycloak:8080/auth/realms/new_realm",
"aud": [
"new_client",
"account"
],
"sub": "df1d7282-6044-4c1d-8c0a-cb4bef82633c",
"typ": "Bearer",
"azp": "new_client",
"auth_time": 0,
"session_state": "5f45d8f3-fe88-487f-82fb-3e5eae4eb4b1",
"acr": "1",
"realm_access": {
"roles": [
"offline_access",
"uma_authorization"
]
},
"resource_access": {
"new_client": {
"roles": [
"uma_protection"
]
},
"account": {
"roles": [
"manage-account",
"manage-account-links",
"view-profile"
]
}
},
"scope": "email profile",
"clientHost": "172.19.0.1",
"clientId": "new_client",
"email_verified": false,
"preferred_username": "service-account-new_client",
"clientAddress": "172.19.0.1",
"email": "service-account-new_client at placeholder.org"
}
Le mer. 21 nov. 2018 à 09:53, Geoffrey Cleaves <geoff at opticks.io> a écrit :
> My tokens look like this. What if you "reboot", create a new client and
> test it there.
>
> {
> "jti": "5c5a8",
> "exp": 1542812146,
> "nbf": 0,
> "iat": 1542811846,
> "iss": "https://fblah",
> "aud": [
> "account",
> "opticks-rs"
> ],
> "sub": "dee58194-6b2b31d",
> "typ": "Bearer",
> "azp": "rs",
> "auth_time": 0,
> "session_state": "a96958c1e5",
> "preferred_username": "service-account-rs",
> "email": "service-account-rs at placeholder.org",
> "email_verified": false,
> "acr": "1",
> "realm_access": {
> "roles": [
> "offline_access",
> "uma_authorization"
> ]
> },
> "resource_access": {
> "account": {
> "roles": [
> "manage-account",
> "manage-account-links",
> "view-profile"
> ]
> },
> "opticks-rs": {
> "roles": [
> "uma_protection"
> ]
> }
> },
> "scope": "email profile",
> "clientId": "rs",
> "clientHost": "0.0.0.0",
> "clientAddress": "0.0.0.0",
> "client_id": "rs",
> "username": "service-account-rs",
> "active": true
> }
>
> On Wed, 21 Nov 2018 at 15:41, Julien Deruere <deruere.julien at gmail.com>
> wrote:
>
>> This is all I see
>>
>> {
>> "jti": "6cfa6dd3-a3dd-4f5b-8560-f91832e7a35f",
>> "exp": 1542811409,
>> "nbf": 0,
>> "iat": 1542811109,
>> "iss": "http://my-keycloak:8080/auth/realms/my-realm",
>> "sub": "055a376e-d8eb-49cf-9d5f-a83226448131",
>> "typ": "Bearer",
>> "azp": "my-api-gateway",
>> "auth_time": 0,
>> "session_state": "10853e1d-ff27-4f4c-b9e1-31339774c5e4",
>> "acr": "1",
>> "scope": "profile email",
>> "clientId": "my-api-gateway",
>> "clientHost": "172.19.0.1",
>> "email_verified": false,
>> "preferred_username": "service-account-my-api-gateway",
>> "clientAddress": "172.19.0.1",
>> "email": "service-account-my-api-gateway at placeholder.org"
>> }
>>
>> Le mer. 21 nov. 2018 à 05:57, Pedro Igor Silva <psilva at redhat.com> a
>> écrit :
>>
>>> Yes, you should see a claim like this:
>>>
>>> "resource_access": {
>>> "{client_id}": {
>>> "roles": [
>>> "{client_role}"
>>> ]
>>> }
>>> }
>>>
>>> On Tue, Nov 20, 2018 at 5:22 PM Geoffrey Cleaves <geoff at opticks.io>
>>> wrote:
>>>
>>>> I understand that the client is supposed to have the role given the
>>>> Admin Console settings, but does the token show that role when you
>>>> introspect it?
>>>>
>>>> On Tue, Nov 20, 2018, 18:02 Julien Deruere <deruere.julien at gmail.com
>>>> wrote:
>>>>
>>>>> That's exactly what I did/checked. That's why I can't figure out why
>>>>> it's
>>>>> not working :(
>>>>>
>>>>> Le mar. 20 nov. 2018 11:53, Pedro Igor Silva <psilva at redhat.com> a
>>>>> écrit :
>>>>>
>>>>> > This role should be a client role. For instance, if you are trying to
>>>>> > create resources for C1 the service account must be granted with
>>>>> client
>>>>> > role C1/uma-protection. See screenshot attached.
>>>>> >
>>>>> > Regards.
>>>>> >
>>>>> > On Tue, Nov 20, 2018 at 2:01 PM Julien Deruere <
>>>>> deruere.julien at gmail.com>
>>>>> > wrote:
>>>>> >
>>>>> >> In this case I'm using protection API:
>>>>> >>
>>>>> >> curl -X POST \
>>>>> >> -H "Content-Type: application/x-www-form-urlencoded" \
>>>>> >> -d
>>>>> 'grant_type=client_credentials&client_id=${client_id}&client_secret=${client_secret}'
>>>>> \
>>>>> >> "
>>>>> http://localhost:8080/auth/realms/${realm_name}/protocol/openid-connect/token
>>>>> "
>>>>> >>
>>>>> >>
>>>>> >> I'm asking a token as a client, not as a user. And I checked, my
>>>>> client
>>>>> >> has the uma_protection role in Service Account Role.
>>>>> >>
>>>>> >> I don't know where I'm wrong?
>>>>> >>
>>>>> >> Le mar. 20 nov. 2018 10:54, Pedro Igor Silva <psilva at redhat.com> a
>>>>> >> écrit :
>>>>> >>
>>>>> >>> Hi,
>>>>> >>>
>>>>> >>> You need to grant uma_protection client scope (it should be
>>>>> available as
>>>>> >>> one of the roles associated with your resource server) to the user
>>>>> to which
>>>>> >>> you are issuing tokens for.
>>>>> >>>
>>>>> >>> On Tue, Nov 20, 2018 at 1:52 PM Julien Deruere <
>>>>> deruere.julien at gmail.com>
>>>>> >>> wrote:
>>>>> >>>
>>>>> >>>> Any update on this?
>>>>> >>>> I got the exact same message when using POSTMAN :
>>>>> >>>>
>>>>> >>>> I fist do this (with grant_type=client_credentials):
>>>>> >>>>
>>>>> http://localhost:8080/auth/realms/sg2b/protocol/openid-connect/token
>>>>> >>>>
>>>>> >>>> And then this with the token I received:
>>>>> >>>> GET
>>>>> >>>>
>>>>> >>>>
>>>>> http://localhost:8080/auth/realms/sg2b/authz/protection/resource_set?type=zone
>>>>> >>>> Which answer me this:
>>>>> >>>> {
>>>>> >>>> "error": "invalid_scope",
>>>>> >>>> "error_description": "Requires uma_protection scope."
>>>>> >>>> }
>>>>> >>>>
>>>>> >>> _______________________________________________
>>>>> >>>> keycloak-user mailing list
>>>>> >>>> keycloak-user at lists.jboss.org
>>>>> >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>> >>>>
>>>>> >>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>>
More information about the keycloak-user
mailing list