[keycloak-user] Requires uma_protection scope

Julien Deruere deruere.julien at gmail.com
Wed Nov 21 10:06:18 EST 2018 

The difference between my two clients was in "Client Scopes", "web-origins"
and "profile" were not assign. Are these new scope? Cause in another
environment there are also not assigned by default (the client was created
in a previous version of Keycloak)

Le mer. 21 nov. 2018 à 09:58, Julien Deruere <deruere.julien at gmail.com> a
écrit :

> Right, definitely something wrong with my client. I'll checkout.
>
> {
>   "jti": "5c75799a-9e76-4802-8f71-ff20e72fea8c",
>   "exp": 1542812525,
>   "nbf": 0,
>   "iat": 1542812225,
>   "iss": "http://my-keycloak:8080/auth/realms/new_realm",
>   "aud": [
>     "new_client",
>     "account"
>   ],
>   "sub": "df1d7282-6044-4c1d-8c0a-cb4bef82633c",
>   "typ": "Bearer",
>   "azp": "new_client",
>   "auth_time": 0,
>   "session_state": "5f45d8f3-fe88-487f-82fb-3e5eae4eb4b1",
>   "acr": "1",
>   "realm_access": {
>     "roles": [
>       "offline_access",
>       "uma_authorization"
>     ]
>   },
>   "resource_access": {
>     "new_client": {
>       "roles": [
>         "uma_protection"
>       ]
>     },
>     "account": {
>       "roles": [
>         "manage-account",
>         "manage-account-links",
>         "view-profile"
>       ]
>     }
>   },
>   "scope": "email profile",
>   "clientHost": "172.19.0.1",
>   "clientId": "new_client",
>   "email_verified": false,
>   "preferred_username": "service-account-new_client",
>   "clientAddress": "172.19.0.1",
>   "email": "service-account-new_client at placeholder.org"
> }
>
> Le mer. 21 nov. 2018 à 09:53, Geoffrey Cleaves <geoff at opticks.io> a
> écrit :
>
>> My tokens look like this. What if you "reboot", create a new client and
>> test it there.
>>
>> {
>>     "jti": "5c5a8",
>>     "exp": 1542812146,
>>     "nbf": 0,
>>     "iat": 1542811846,
>>     "iss": "https://fblah",
>>     "aud": [
>>         "account",
>>         "opticks-rs"
>>     ],
>>     "sub": "dee58194-6b2b31d",
>>     "typ": "Bearer",
>>     "azp": "rs",
>>     "auth_time": 0,
>>     "session_state": "a96958c1e5",
>>     "preferred_username": "service-account-rs",
>>     "email": "service-account-rs at placeholder.org",
>>     "email_verified": false,
>>     "acr": "1",
>>     "realm_access": {
>>         "roles": [
>>             "offline_access",
>>             "uma_authorization"
>>         ]
>>     },
>>     "resource_access": {
>>         "account": {
>>             "roles": [
>>                 "manage-account",
>>                 "manage-account-links",
>>                 "view-profile"
>>             ]
>>         },
>>         "opticks-rs": {
>>             "roles": [
>>                 "uma_protection"
>>             ]
>>         }
>>     },
>>     "scope": "email profile",
>>     "clientId": "rs",
>>     "clientHost": "0.0.0.0",
>>     "clientAddress": "0.0.0.0",
>>     "client_id": "rs",
>>     "username": "service-account-rs",
>>     "active": true
>> }
>>
>> On Wed, 21 Nov 2018 at 15:41, Julien Deruere <deruere.julien at gmail.com>
>> wrote:
>>
>>> This is all I see
>>>
>>> {
>>>   "jti": "6cfa6dd3-a3dd-4f5b-8560-f91832e7a35f",
>>>   "exp": 1542811409,
>>>   "nbf": 0,
>>>   "iat": 1542811109,
>>>   "iss": "http://my-keycloak:8080/auth/realms/my-realm",
>>>   "sub": "055a376e-d8eb-49cf-9d5f-a83226448131",
>>>   "typ": "Bearer",
>>>   "azp": "my-api-gateway",
>>>   "auth_time": 0,
>>>   "session_state": "10853e1d-ff27-4f4c-b9e1-31339774c5e4",
>>>   "acr": "1",
>>>   "scope": "profile email",
>>>   "clientId": "my-api-gateway",
>>>   "clientHost": "172.19.0.1",
>>>   "email_verified": false,
>>>   "preferred_username": "service-account-my-api-gateway",
>>>   "clientAddress": "172.19.0.1",
>>>   "email": "service-account-my-api-gateway at placeholder.org"
>>> }
>>>
>>> Le mer. 21 nov. 2018 à 05:57, Pedro Igor Silva <psilva at redhat.com> a
>>> écrit :
>>>
>>>> Yes, you should see a claim like this:
>>>>
>>>> "resource_access": {
>>>>     "{client_id}": {
>>>>       "roles": [
>>>>         "{client_role}"
>>>>       ]
>>>>     }
>>>>   }
>>>>
>>>> On Tue, Nov 20, 2018 at 5:22 PM Geoffrey Cleaves <geoff at opticks.io>
>>>> wrote:
>>>>
>>>>> I understand that the client is supposed to have the role given the
>>>>> Admin Console settings, but does the token show that role when you
>>>>> introspect it?
>>>>>
>>>>> On Tue, Nov 20, 2018, 18:02 Julien Deruere <deruere.julien at gmail.com
>>>>> wrote:
>>>>>
>>>>>> That's exactly what I did/checked. That's why I can't figure out why
>>>>>> it's
>>>>>> not working :(
>>>>>>
>>>>>> Le mar. 20 nov. 2018 11:53, Pedro Igor Silva <psilva at redhat.com> a
>>>>>> écrit :
>>>>>>
>>>>>> > This role should be a client role. For instance, if you are trying
>>>>>> to
>>>>>> > create resources for C1 the service account must be granted with
>>>>>> client
>>>>>> > role C1/uma-protection. See screenshot attached.
>>>>>> >
>>>>>> > Regards.
>>>>>> >
>>>>>> > On Tue, Nov 20, 2018 at 2:01 PM Julien Deruere <
>>>>>> deruere.julien at gmail.com>
>>>>>> > wrote:
>>>>>> >
>>>>>> >> In this case I'm using protection API:
>>>>>> >>
>>>>>> >> curl -X POST \
>>>>>> >>     -H "Content-Type: application/x-www-form-urlencoded" \
>>>>>> >>     -d
>>>>>> 'grant_type=client_credentials&client_id=${client_id}&client_secret=${client_secret}'
>>>>>> \
>>>>>> >>     "
>>>>>> http://localhost:8080/auth/realms/${realm_name}/protocol/openid-connect/token
>>>>>> "
>>>>>> >>
>>>>>> >>
>>>>>> >> I'm asking a token as a client, not as a user. And I checked, my
>>>>>> client
>>>>>> >> has the uma_protection role in Service Account Role.
>>>>>> >>
>>>>>> >> I don't know where I'm wrong?
>>>>>> >>
>>>>>> >> Le mar. 20 nov. 2018 10:54, Pedro Igor Silva <psilva at redhat.com> a
>>>>>> >> écrit :
>>>>>> >>
>>>>>> >>> Hi,
>>>>>> >>>
>>>>>> >>> You need to grant uma_protection client scope (it should be
>>>>>> available as
>>>>>> >>> one of the roles associated with your resource server) to the
>>>>>> user to which
>>>>>> >>> you are issuing tokens for.
>>>>>> >>>
>>>>>> >>> On Tue, Nov 20, 2018 at 1:52 PM Julien Deruere <
>>>>>> deruere.julien at gmail.com>
>>>>>> >>> wrote:
>>>>>> >>>
>>>>>> >>>> Any update on this?
>>>>>> >>>> I got the exact same message when using POSTMAN :
>>>>>> >>>>
>>>>>> >>>> I fist do this (with grant_type=client_credentials):
>>>>>> >>>>
>>>>>> http://localhost:8080/auth/realms/sg2b/protocol/openid-connect/token
>>>>>> >>>>
>>>>>> >>>> And then this with the token I received:
>>>>>> >>>> GET
>>>>>> >>>>
>>>>>> >>>>
>>>>>> http://localhost:8080/auth/realms/sg2b/authz/protection/resource_set?type=zone
>>>>>> >>>> Which answer me this:
>>>>>> >>>> {
>>>>>> >>>>     "error": "invalid_scope",
>>>>>> >>>>     "error_description": "Requires uma_protection scope."
>>>>>> >>>> }
>>>>>> >>>>
>>>>>> >>> _______________________________________________
>>>>>> >>>> keycloak-user mailing list
>>>>>> >>>> keycloak-user at lists.jboss.org
>>>>>> >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>> >>>>
>>>>>> >>>
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>>

More information about the keycloak-user mailing list