[keycloak-user] Authorization: Upgrading to keycloak 4.4 results in {"error":"invalid_scope", "error_description":"Requires uma_protection scope."}
Bruce Wings
testoauth55 at gmail.com
Fri Oct 5 01:19:11 EDT 2018
Issue seems to be fixed in latest keycloak - 4.5. I just downloaded
keycloak 4.5.0 and imported realm. It's working fine.
On Fri, Oct 5, 2018 at 9:50 AM Bruce Wings <testoauth55 at gmail.com> wrote:
> What is more weird is that if I create a new realm in keycloak 4.4 and
> import client from keycloak 4.3 into this realm , then everything works
> fine. The issue appears only if I import complete realm.
>
>
> On Fri, Oct 5, 2018 at 6:41 AM Bruce Wings <testoauth55 at gmail.com> wrote:
>
>> Secondly,
>>
>> I manually added uma_protection role to my client in keycloak 4.4 like
>> this, but I still get the same exception. Is this role supposed to be added
>> in a different way?
>>
>> [image: image.png]
>>
>>
>> Firstly,
>>
>> uma_authorization
>> <http://localhost:9080/auth/admin/master/console/#/realms/Cadence/roles/04930c89-90ba-4330-9be0-01e7c2a579fe>
>> role is present in both the installations (4.3 and 4.4)*.
>> uma_protection *role is *not *present in any.
>> Is it the case that keycloak 4.3 used to work without* uma_protection *and
>> 4.4 needs* uma_protection *role*?*
>>
>> On Fri, Oct 5, 2018 at 6:31 AM Bruce Wings <testoauth55 at gmail.com> wrote:
>>
>>> uma_authorization
>>> <http://localhost:9080/auth/admin/master/console/#/realms/Cadence/roles/04930c89-90ba-4330-9be0-01e7c2a579fe>
>>> role is present in both the installations (4.3 and 4.4)*.
>>> uma_protection *role is *not *present in any.
>>> Is it the case that keycloak 4.3 used to work without* uma_protection *and
>>> 4.4 needs* uma_protection *role*?*
>>>
>>> On Fri, Oct 5, 2018 at 12:12 AM Pedro Igor Silva <psilva at redhat.com>
>>> wrote:
>>>
>>>> Please, check if your client is granted with a "uma_protection" client
>>>> role. I think client roles were not being exported correctly and we fixed
>>>> that in the latest release.
>>>>
>>>> On Thu, Oct 4, 2018 at 11:12 AM Bruce Wings <testoauth55 at gmail.com>
>>>> wrote:
>>>>
>>>>> I have upgraded from keycloak 4.3 to keycloak 4.4. I ahve exported the
>>>>> realm from 4.3 and imported in 4.4.
>>>>>
>>>>> The "policy-enforcer": {} in keycloak.json results in *403
>>>>> : {"error":"invalid_scope","error_description":"Requires
>>>>> uma_protection
>>>>> scope."}*
>>>>>
>>>>> In keycloak 4.3 everything works fine. I have exported realm and used
>>>>> with
>>>>> keycloak 4.4, but the policy-enforcer does not work. Is there some
>>>>> extra
>>>>> step that is needed apart from exporting and importing json?
>>>>> If I remove policy-enforcer line the app works fine.
>>>>>
>>>>> *APP code:*
>>>>> final String KEYCLOAK_JSON = //json path;
>>>>> InputStream config =
>>>>>
>>>>> Thread.currentThread().getContextClassLoader().getResourceAsStream(KEYCLOAK_JSON);
>>>>> KeycloakInstalled keycloak = new KeycloakInstalled(config);
>>>>>
>>>>>
>>>>>
>>>>> *Stack trace thrown at the time of starting app:*
>>>>>
>>>>> java.lang.RuntimeException: Could not find resource
>>>>> Logged in...
>>>>> at
>>>>>
>>>>> org.keycloak.authorization.client.util.Throwables.handleWrapException(Throwables.java:45)
>>>>> at
>>>>>
>>>>> org.keycloak.authorization.client.resource.ProtectedResource.findAll(ProtectedResource.java:228)
>>>>> at
>>>>>
>>>>> org.keycloak.adapters.authorization.PolicyEnforcer.configureAllPathsForResourceServer(PolicyEnforcer.java:225)
>>>>> at
>>>>>
>>>>> org.keycloak.adapters.authorization.PolicyEnforcer.configurePaths(PolicyEnforcer.java:157)
>>>>> at
>>>>>
>>>>> org.keycloak.adapters.authorization.PolicyEnforcer.<init>(PolicyEnforcer.java:77)
>>>>> at
>>>>>
>>>>> org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(KeycloakDeploymentBuilder.java:143)
>>>>> at
>>>>>
>>>>> org.keycloak.adapters.KeycloakDeploymentBuilder.build(KeycloakDeploymentBuilder.java:152)
>>>>> at
>>>>>
>>>>> org.keycloak.adapters.installed.KeycloakInstalled.<init>(KeycloakInstalled.java:94)
>>>>> at
>>>>>
>>>>> com.cadence.adw.common.auth.AuthenticationTest.main(AuthenticationTest.java:138)
>>>>> Caused by:
>>>>> org.keycloak.authorization.client.AuthorizationDeniedException:
>>>>> org.keycloak.authorization.client.util.HttpResponseException:
>>>>> Unexpected
>>>>> response from server: 403 / Forbidden / Response from server:
>>>>> {"error":"invalid_scope","error_description":"Requires uma_protection
>>>>> scope."}
>>>>> at
>>>>>
>>>>> org.keycloak.authorization.client.util.Throwables.handleAndWrapHttpResponseException(Throwables.java:96)
>>>>> at
>>>>>
>>>>> org.keycloak.authorization.client.util.Throwables.handleWrapException(Throwables.java:42)
>>>>> at
>>>>>
>>>>> org.keycloak.authorization.client.util.Throwables.retryAndWrapExceptionIfNecessary(Throwables.java:87)
>>>>> at
>>>>>
>>>>> org.keycloak.authorization.client.resource.ProtectedResource.find(ProtectedResource.java:181)
>>>>> at
>>>>>
>>>>> org.keycloak.authorization.client.resource.ProtectedResource.findAll(ProtectedResource.java:226)
>>>>> ... 7 more
>>>>> Caused by:
>>>>> org.keycloak.authorization.client.util.HttpResponseException:
>>>>> Unexpected response from server: 403 / Forbidden / Response from
>>>>> server:
>>>>> {"error":"invalid_scope","error_description":"Requires uma_protection
>>>>> scope."}
>>>>> at
>>>>>
>>>>> org.keycloak.authorization.client.util.HttpMethod.execute(HttpMethod.java:95)
>>>>> at
>>>>>
>>>>> org.keycloak.authorization.client.util.HttpMethodResponse$2.execute(HttpMethodResponse.java:50)
>>>>> at
>>>>>
>>>>> org.keycloak.authorization.client.resource.ProtectedResource$4.call(ProtectedResource.java:175)
>>>>> at
>>>>>
>>>>> org.keycloak.authorization.client.resource.ProtectedResource$4.call(ProtectedResource.java:172)
>>>>> at
>>>>>
>>>>> org.keycloak.authorization.client.resource.ProtectedResource.find(ProtectedResource.java:179)
>>>>> ... 8 more
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 34068 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181005/4d178fd0/attachment-0001.png
More information about the keycloak-user
mailing list