[keycloak-user] Requires uma_protection scope
Julien Deruere
deruere.julien at gmail.com
Wed Nov 21 15:47:28 EST 2018
Yes this one was already assigned, it was just about "web-origins" and
"profile".
Le mer. 21 nov. 2018 à 11:32, Pedro Igor Silva <psilva at redhat.com> a écrit :
> What about the "roles" client scope ? You should have this one too
> assigned to your client ...
>
> On Wed, Nov 21, 2018 at 1:06 PM Julien Deruere <deruere.julien at gmail.com>
> wrote:
>
>> The difference between my two clients was in "Client Scopes",
>> "web-origins" and "profile" were not assign. Are these new scope? Cause in
>> another environment there are also not assigned by default (the client was
>> created in a previous version of Keycloak)
>>
>> Le mer. 21 nov. 2018 à 09:58, Julien Deruere <deruere.julien at gmail.com>
>> a écrit :
>>
>>> Right, definitely something wrong with my client. I'll checkout.
>>>
>>> {
>>> "jti": "5c75799a-9e76-4802-8f71-ff20e72fea8c",
>>> "exp": 1542812525,
>>> "nbf": 0,
>>> "iat": 1542812225,
>>> "iss": "http://my-keycloak:8080/auth/realms/new_realm",
>>> "aud": [
>>> "new_client",
>>> "account"
>>> ],
>>> "sub": "df1d7282-6044-4c1d-8c0a-cb4bef82633c",
>>> "typ": "Bearer",
>>> "azp": "new_client",
>>> "auth_time": 0,
>>> "session_state": "5f45d8f3-fe88-487f-82fb-3e5eae4eb4b1",
>>> "acr": "1",
>>> "realm_access": {
>>> "roles": [
>>> "offline_access",
>>> "uma_authorization"
>>> ]
>>> },
>>> "resource_access": {
>>> "new_client": {
>>> "roles": [
>>> "uma_protection"
>>> ]
>>> },
>>> "account": {
>>> "roles": [
>>> "manage-account",
>>> "manage-account-links",
>>> "view-profile"
>>> ]
>>> }
>>> },
>>> "scope": "email profile",
>>> "clientHost": "172.19.0.1",
>>> "clientId": "new_client",
>>> "email_verified": false,
>>> "preferred_username": "service-account-new_client",
>>> "clientAddress": "172.19.0.1",
>>> "email": "service-account-new_client at placeholder.org"
>>> }
>>>
>>> Le mer. 21 nov. 2018 à 09:53, Geoffrey Cleaves <geoff at opticks.io> a
>>> écrit :
>>>
>>>> My tokens look like this. What if you "reboot", create a new client and
>>>> test it there.
>>>>
>>>> {
>>>> "jti": "5c5a8",
>>>> "exp": 1542812146,
>>>> "nbf": 0,
>>>> "iat": 1542811846,
>>>> "iss": "https://fblah",
>>>> "aud": [
>>>> "account",
>>>> "opticks-rs"
>>>> ],
>>>> "sub": "dee58194-6b2b31d",
>>>> "typ": "Bearer",
>>>> "azp": "rs",
>>>> "auth_time": 0,
>>>> "session_state": "a96958c1e5",
>>>> "preferred_username": "service-account-rs",
>>>> "email": "service-account-rs at placeholder.org",
>>>> "email_verified": false,
>>>> "acr": "1",
>>>> "realm_access": {
>>>> "roles": [
>>>> "offline_access",
>>>> "uma_authorization"
>>>> ]
>>>> },
>>>> "resource_access": {
>>>> "account": {
>>>> "roles": [
>>>> "manage-account",
>>>> "manage-account-links",
>>>> "view-profile"
>>>> ]
>>>> },
>>>> "opticks-rs": {
>>>> "roles": [
>>>> "uma_protection"
>>>> ]
>>>> }
>>>> },
>>>> "scope": "email profile",
>>>> "clientId": "rs",
>>>> "clientHost": "0.0.0.0",
>>>> "clientAddress": "0.0.0.0",
>>>> "client_id": "rs",
>>>> "username": "service-account-rs",
>>>> "active": true
>>>> }
>>>>
>>>> On Wed, 21 Nov 2018 at 15:41, Julien Deruere <deruere.julien at gmail.com>
>>>> wrote:
>>>>
>>>>> This is all I see
>>>>>
>>>>> {
>>>>> "jti": "6cfa6dd3-a3dd-4f5b-8560-f91832e7a35f",
>>>>> "exp": 1542811409,
>>>>> "nbf": 0,
>>>>> "iat": 1542811109,
>>>>> "iss": "http://my-keycloak:8080/auth/realms/my-realm",
>>>>> "sub": "055a376e-d8eb-49cf-9d5f-a83226448131",
>>>>> "typ": "Bearer",
>>>>> "azp": "my-api-gateway",
>>>>> "auth_time": 0,
>>>>> "session_state": "10853e1d-ff27-4f4c-b9e1-31339774c5e4",
>>>>> "acr": "1",
>>>>> "scope": "profile email",
>>>>> "clientId": "my-api-gateway",
>>>>> "clientHost": "172.19.0.1",
>>>>> "email_verified": false,
>>>>> "preferred_username": "service-account-my-api-gateway",
>>>>> "clientAddress": "172.19.0.1",
>>>>> "email": "service-account-my-api-gateway at placeholder.org"
>>>>> }
>>>>>
>>>>> Le mer. 21 nov. 2018 à 05:57, Pedro Igor Silva <psilva at redhat.com> a
>>>>> écrit :
>>>>>
>>>>>> Yes, you should see a claim like this:
>>>>>>
>>>>>> "resource_access": {
>>>>>> "{client_id}": {
>>>>>> "roles": [
>>>>>> "{client_role}"
>>>>>> ]
>>>>>> }
>>>>>> }
>>>>>>
>>>>>> On Tue, Nov 20, 2018 at 5:22 PM Geoffrey Cleaves <geoff at opticks.io>
>>>>>> wrote:
>>>>>>
>>>>>>> I understand that the client is supposed to have the role given the
>>>>>>> Admin Console settings, but does the token show that role when you
>>>>>>> introspect it?
>>>>>>>
>>>>>>> On Tue, Nov 20, 2018, 18:02 Julien Deruere <deruere.julien at gmail.com
>>>>>>> wrote:
>>>>>>>
>>>>>>>> That's exactly what I did/checked. That's why I can't figure out
>>>>>>>> why it's
>>>>>>>> not working :(
>>>>>>>>
>>>>>>>> Le mar. 20 nov. 2018 11:53, Pedro Igor Silva <psilva at redhat.com> a
>>>>>>>> écrit :
>>>>>>>>
>>>>>>>> > This role should be a client role. For instance, if you are
>>>>>>>> trying to
>>>>>>>> > create resources for C1 the service account must be granted with
>>>>>>>> client
>>>>>>>> > role C1/uma-protection. See screenshot attached.
>>>>>>>> >
>>>>>>>> > Regards.
>>>>>>>> >
>>>>>>>> > On Tue, Nov 20, 2018 at 2:01 PM Julien Deruere <
>>>>>>>> deruere.julien at gmail.com>
>>>>>>>> > wrote:
>>>>>>>> >
>>>>>>>> >> In this case I'm using protection API:
>>>>>>>> >>
>>>>>>>> >> curl -X POST \
>>>>>>>> >> -H "Content-Type: application/x-www-form-urlencoded" \
>>>>>>>> >> -d
>>>>>>>> 'grant_type=client_credentials&client_id=${client_id}&client_secret=${client_secret}'
>>>>>>>> \
>>>>>>>> >> "
>>>>>>>> http://localhost:8080/auth/realms/${realm_name}/protocol/openid-connect/token
>>>>>>>> "
>>>>>>>> >>
>>>>>>>> >>
>>>>>>>> >> I'm asking a token as a client, not as a user. And I checked, my
>>>>>>>> client
>>>>>>>> >> has the uma_protection role in Service Account Role.
>>>>>>>> >>
>>>>>>>> >> I don't know where I'm wrong?
>>>>>>>> >>
>>>>>>>> >> Le mar. 20 nov. 2018 10:54, Pedro Igor Silva <psilva at redhat.com>
>>>>>>>> a
>>>>>>>> >> écrit :
>>>>>>>> >>
>>>>>>>> >>> Hi,
>>>>>>>> >>>
>>>>>>>> >>> You need to grant uma_protection client scope (it should be
>>>>>>>> available as
>>>>>>>> >>> one of the roles associated with your resource server) to the
>>>>>>>> user to which
>>>>>>>> >>> you are issuing tokens for.
>>>>>>>> >>>
>>>>>>>> >>> On Tue, Nov 20, 2018 at 1:52 PM Julien Deruere <
>>>>>>>> deruere.julien at gmail.com>
>>>>>>>> >>> wrote:
>>>>>>>> >>>
>>>>>>>> >>>> Any update on this?
>>>>>>>> >>>> I got the exact same message when using POSTMAN :
>>>>>>>> >>>>
>>>>>>>> >>>> I fist do this (with grant_type=client_credentials):
>>>>>>>> >>>>
>>>>>>>> http://localhost:8080/auth/realms/sg2b/protocol/openid-connect/token
>>>>>>>> >>>>
>>>>>>>> >>>> And then this with the token I received:
>>>>>>>> >>>> GET
>>>>>>>> >>>>
>>>>>>>> >>>>
>>>>>>>> http://localhost:8080/auth/realms/sg2b/authz/protection/resource_set?type=zone
>>>>>>>> >>>> Which answer me this:
>>>>>>>> >>>> {
>>>>>>>> >>>> "error": "invalid_scope",
>>>>>>>> >>>> "error_description": "Requires uma_protection scope."
>>>>>>>> >>>> }
>>>>>>>> >>>>
>>>>>>>> >>> _______________________________________________
>>>>>>>> >>>> keycloak-user mailing list
>>>>>>>> >>>> keycloak-user at lists.jboss.org
>>>>>>>> >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>> >>>>
>>>>>>>> >>>
>>>>>>>> _______________________________________________
>>>>>>>> keycloak-user mailing list
>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>
>>>>>>>
More information about the keycloak-user
mailing list