[keycloak-user] Requires uma_protection scope
Pedro Igor Silva
psilva at redhat.com
Wed Nov 21 11:32:37 EST 2018
What about the "roles" client scope ? You should have this one too assigned
to your client ...
On Wed, Nov 21, 2018 at 1:06 PM Julien Deruere <deruere.julien at gmail.com>
wrote:
> The difference between my two clients was in "Client Scopes",
> "web-origins" and "profile" were not assign. Are these new scope? Cause in
> another environment there are also not assigned by default (the client was
> created in a previous version of Keycloak)
>
> Le mer. 21 nov. 2018 à 09:58, Julien Deruere <deruere.julien at gmail.com> a
> écrit :
>
>> Right, definitely something wrong with my client. I'll checkout.
>>
>> {
>> "jti": "5c75799a-9e76-4802-8f71-ff20e72fea8c",
>> "exp": 1542812525,
>> "nbf": 0,
>> "iat": 1542812225,
>> "iss": "http://my-keycloak:8080/auth/realms/new_realm",
>> "aud": [
>> "new_client",
>> "account"
>> ],
>> "sub": "df1d7282-6044-4c1d-8c0a-cb4bef82633c",
>> "typ": "Bearer",
>> "azp": "new_client",
>> "auth_time": 0,
>> "session_state": "5f45d8f3-fe88-487f-82fb-3e5eae4eb4b1",
>> "acr": "1",
>> "realm_access": {
>> "roles": [
>> "offline_access",
>> "uma_authorization"
>> ]
>> },
>> "resource_access": {
>> "new_client": {
>> "roles": [
>> "uma_protection"
>> ]
>> },
>> "account": {
>> "roles": [
>> "manage-account",
>> "manage-account-links",
>> "view-profile"
>> ]
>> }
>> },
>> "scope": "email profile",
>> "clientHost": "172.19.0.1",
>> "clientId": "new_client",
>> "email_verified": false,
>> "preferred_username": "service-account-new_client",
>> "clientAddress": "172.19.0.1",
>> "email": "service-account-new_client at placeholder.org"
>> }
>>
>> Le mer. 21 nov. 2018 à 09:53, Geoffrey Cleaves <geoff at opticks.io> a
>> écrit :
>>
>>> My tokens look like this. What if you "reboot", create a new client and
>>> test it there.
>>>
>>> {
>>> "jti": "5c5a8",
>>> "exp": 1542812146,
>>> "nbf": 0,
>>> "iat": 1542811846,
>>> "iss": "https://fblah",
>>> "aud": [
>>> "account",
>>> "opticks-rs"
>>> ],
>>> "sub": "dee58194-6b2b31d",
>>> "typ": "Bearer",
>>> "azp": "rs",
>>> "auth_time": 0,
>>> "session_state": "a96958c1e5",
>>> "preferred_username": "service-account-rs",
>>> "email": "service-account-rs at placeholder.org",
>>> "email_verified": false,
>>> "acr": "1",
>>> "realm_access": {
>>> "roles": [
>>> "offline_access",
>>> "uma_authorization"
>>> ]
>>> },
>>> "resource_access": {
>>> "account": {
>>> "roles": [
>>> "manage-account",
>>> "manage-account-links",
>>> "view-profile"
>>> ]
>>> },
>>> "opticks-rs": {
>>> "roles": [
>>> "uma_protection"
>>> ]
>>> }
>>> },
>>> "scope": "email profile",
>>> "clientId": "rs",
>>> "clientHost": "0.0.0.0",
>>> "clientAddress": "0.0.0.0",
>>> "client_id": "rs",
>>> "username": "service-account-rs",
>>> "active": true
>>> }
>>>
>>> On Wed, 21 Nov 2018 at 15:41, Julien Deruere <deruere.julien at gmail.com>
>>> wrote:
>>>
>>>> This is all I see
>>>>
>>>> {
>>>> "jti": "6cfa6dd3-a3dd-4f5b-8560-f91832e7a35f",
>>>> "exp": 1542811409,
>>>> "nbf": 0,
>>>> "iat": 1542811109,
>>>> "iss": "http://my-keycloak:8080/auth/realms/my-realm",
>>>> "sub": "055a376e-d8eb-49cf-9d5f-a83226448131",
>>>> "typ": "Bearer",
>>>> "azp": "my-api-gateway",
>>>> "auth_time": 0,
>>>> "session_state": "10853e1d-ff27-4f4c-b9e1-31339774c5e4",
>>>> "acr": "1",
>>>> "scope": "profile email",
>>>> "clientId": "my-api-gateway",
>>>> "clientHost": "172.19.0.1",
>>>> "email_verified": false,
>>>> "preferred_username": "service-account-my-api-gateway",
>>>> "clientAddress": "172.19.0.1",
>>>> "email": "service-account-my-api-gateway at placeholder.org"
>>>> }
>>>>
>>>> Le mer. 21 nov. 2018 à 05:57, Pedro Igor Silva <psilva at redhat.com> a
>>>> écrit :
>>>>
>>>>> Yes, you should see a claim like this:
>>>>>
>>>>> "resource_access": {
>>>>> "{client_id}": {
>>>>> "roles": [
>>>>> "{client_role}"
>>>>> ]
>>>>> }
>>>>> }
>>>>>
>>>>> On Tue, Nov 20, 2018 at 5:22 PM Geoffrey Cleaves <geoff at opticks.io>
>>>>> wrote:
>>>>>
>>>>>> I understand that the client is supposed to have the role given the
>>>>>> Admin Console settings, but does the token show that role when you
>>>>>> introspect it?
>>>>>>
>>>>>> On Tue, Nov 20, 2018, 18:02 Julien Deruere <deruere.julien at gmail.com
>>>>>> wrote:
>>>>>>
>>>>>>> That's exactly what I did/checked. That's why I can't figure out why
>>>>>>> it's
>>>>>>> not working :(
>>>>>>>
>>>>>>> Le mar. 20 nov. 2018 11:53, Pedro Igor Silva <psilva at redhat.com> a
>>>>>>> écrit :
>>>>>>>
>>>>>>> > This role should be a client role. For instance, if you are trying
>>>>>>> to
>>>>>>> > create resources for C1 the service account must be granted with
>>>>>>> client
>>>>>>> > role C1/uma-protection. See screenshot attached.
>>>>>>> >
>>>>>>> > Regards.
>>>>>>> >
>>>>>>> > On Tue, Nov 20, 2018 at 2:01 PM Julien Deruere <
>>>>>>> deruere.julien at gmail.com>
>>>>>>> > wrote:
>>>>>>> >
>>>>>>> >> In this case I'm using protection API:
>>>>>>> >>
>>>>>>> >> curl -X POST \
>>>>>>> >> -H "Content-Type: application/x-www-form-urlencoded" \
>>>>>>> >> -d
>>>>>>> 'grant_type=client_credentials&client_id=${client_id}&client_secret=${client_secret}'
>>>>>>> \
>>>>>>> >> "
>>>>>>> http://localhost:8080/auth/realms/${realm_name}/protocol/openid-connect/token
>>>>>>> "
>>>>>>> >>
>>>>>>> >>
>>>>>>> >> I'm asking a token as a client, not as a user. And I checked, my
>>>>>>> client
>>>>>>> >> has the uma_protection role in Service Account Role.
>>>>>>> >>
>>>>>>> >> I don't know where I'm wrong?
>>>>>>> >>
>>>>>>> >> Le mar. 20 nov. 2018 10:54, Pedro Igor Silva <psilva at redhat.com>
>>>>>>> a
>>>>>>> >> écrit :
>>>>>>> >>
>>>>>>> >>> Hi,
>>>>>>> >>>
>>>>>>> >>> You need to grant uma_protection client scope (it should be
>>>>>>> available as
>>>>>>> >>> one of the roles associated with your resource server) to the
>>>>>>> user to which
>>>>>>> >>> you are issuing tokens for.
>>>>>>> >>>
>>>>>>> >>> On Tue, Nov 20, 2018 at 1:52 PM Julien Deruere <
>>>>>>> deruere.julien at gmail.com>
>>>>>>> >>> wrote:
>>>>>>> >>>
>>>>>>> >>>> Any update on this?
>>>>>>> >>>> I got the exact same message when using POSTMAN :
>>>>>>> >>>>
>>>>>>> >>>> I fist do this (with grant_type=client_credentials):
>>>>>>> >>>>
>>>>>>> http://localhost:8080/auth/realms/sg2b/protocol/openid-connect/token
>>>>>>> >>>>
>>>>>>> >>>> And then this with the token I received:
>>>>>>> >>>> GET
>>>>>>> >>>>
>>>>>>> >>>>
>>>>>>> http://localhost:8080/auth/realms/sg2b/authz/protection/resource_set?type=zone
>>>>>>> >>>> Which answer me this:
>>>>>>> >>>> {
>>>>>>> >>>> "error": "invalid_scope",
>>>>>>> >>>> "error_description": "Requires uma_protection scope."
>>>>>>> >>>> }
>>>>>>> >>>>
>>>>>>> >>> _______________________________________________
>>>>>>> >>>> keycloak-user mailing list
>>>>>>> >>>> keycloak-user at lists.jboss.org
>>>>>>> >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>> >>>>
>>>>>>> >>>
>>>>>>> _______________________________________________
>>>>>>> keycloak-user mailing list
>>>>>>> keycloak-user at lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>>>
More information about the keycloak-user
mailing list