[keycloak-user] Authorization: Upgrading to keycloak 4.4 results in {"error":"invalid_scope", "error_description":"Requires uma_protection scope."}

Bruce Wings testoauth55 at gmail.com
Thu Oct 4 21:01:32 EDT 2018 

uma_authorization
<http://localhost:9080/auth/admin/master/console/#/realms/Cadence/roles/04930c89-90ba-4330-9be0-01e7c2a579fe>
 role is present in both the installations (4.3 and 4.4)*. uma_protection *role
is *not *present in any.
Is it the case that keycloak 4.3 used to work without* uma_protection *and
4.4 needs* uma_protection *role*?*

On Fri, Oct 5, 2018 at 12:12 AM Pedro Igor Silva <psilva at redhat.com> wrote:

> Please, check if your client is granted with a "uma_protection" client
> role. I think client roles were not being exported correctly and we fixed
> that in the latest release.
>
> On Thu, Oct 4, 2018 at 11:12 AM Bruce Wings <testoauth55 at gmail.com> wrote:
>
>> I have upgraded from keycloak 4.3 to keycloak 4.4. I ahve exported the
>> realm from 4.3 and imported in 4.4.
>>
>> The "policy-enforcer": {} in keycloak.json results in *403
>> :  {"error":"invalid_scope","error_description":"Requires uma_protection
>> scope."}*
>>
>> In keycloak 4.3 everything works fine. I have exported realm and used with
>> keycloak 4.4, but the policy-enforcer does not work. Is there some extra
>> step that is needed apart from exporting and importing json?
>> If I remove policy-enforcer line the app works fine.
>>
>> *APP code:*
>> final String KEYCLOAK_JSON = //json path;
>> InputStream config =
>>
>> Thread.currentThread().getContextClassLoader().getResourceAsStream(KEYCLOAK_JSON);
>> KeycloakInstalled keycloak = new KeycloakInstalled(config);
>>
>>
>>
>> *Stack trace thrown at the time of starting app:*
>>
>> java.lang.RuntimeException: Could not find resource
>> Logged in...
>> at
>>
>> org.keycloak.authorization.client.util.Throwables.handleWrapException(Throwables.java:45)
>> at
>>
>> org.keycloak.authorization.client.resource.ProtectedResource.findAll(ProtectedResource.java:228)
>> at
>>
>> org.keycloak.adapters.authorization.PolicyEnforcer.configureAllPathsForResourceServer(PolicyEnforcer.java:225)
>> at
>>
>> org.keycloak.adapters.authorization.PolicyEnforcer.configurePaths(PolicyEnforcer.java:157)
>> at
>>
>> org.keycloak.adapters.authorization.PolicyEnforcer.<init>(PolicyEnforcer.java:77)
>> at
>>
>> org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(KeycloakDeploymentBuilder.java:143)
>> at
>>
>> org.keycloak.adapters.KeycloakDeploymentBuilder.build(KeycloakDeploymentBuilder.java:152)
>> at
>>
>> org.keycloak.adapters.installed.KeycloakInstalled.<init>(KeycloakInstalled.java:94)
>> at
>>
>> com.cadence.adw.common.auth.AuthenticationTest.main(AuthenticationTest.java:138)
>> Caused by: org.keycloak.authorization.client.AuthorizationDeniedException:
>> org.keycloak.authorization.client.util.HttpResponseException: Unexpected
>> response from server: 403 / Forbidden / Response from server:
>> {"error":"invalid_scope","error_description":"Requires uma_protection
>> scope."}
>> at
>>
>> org.keycloak.authorization.client.util.Throwables.handleAndWrapHttpResponseException(Throwables.java:96)
>> at
>>
>> org.keycloak.authorization.client.util.Throwables.handleWrapException(Throwables.java:42)
>> at
>>
>> org.keycloak.authorization.client.util.Throwables.retryAndWrapExceptionIfNecessary(Throwables.java:87)
>> at
>>
>> org.keycloak.authorization.client.resource.ProtectedResource.find(ProtectedResource.java:181)
>> at
>>
>> org.keycloak.authorization.client.resource.ProtectedResource.findAll(ProtectedResource.java:226)
>> ... 7 more
>> Caused by: org.keycloak.authorization.client.util.HttpResponseException:
>> Unexpected response from server: 403 / Forbidden / Response from server:
>> {"error":"invalid_scope","error_description":"Requires uma_protection
>> scope."}
>> at
>>
>> org.keycloak.authorization.client.util.HttpMethod.execute(HttpMethod.java:95)
>> at
>>
>> org.keycloak.authorization.client.util.HttpMethodResponse$2.execute(HttpMethodResponse.java:50)
>> at
>>
>> org.keycloak.authorization.client.resource.ProtectedResource$4.call(ProtectedResource.java:175)
>> at
>>
>> org.keycloak.authorization.client.resource.ProtectedResource$4.call(ProtectedResource.java:172)
>> at
>>
>> org.keycloak.authorization.client.resource.ProtectedResource.find(ProtectedResource.java:179)
>> ... 8 more
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>

More information about the keycloak-user mailing list