[keycloak-user] Can't request resource permissions by resource name by service account client and not user
Or Harary
or at myobligo.com
Thu Jan 3 11:24:10 EST 2019
Hey,
I'm using version 4.8.1 and i'm trying to check resource permissions on
another client with the token endpoint, by the resource name, with a
client's access token, and i'm getting "Resource with id [{resourceId}]
does not exist".
I have a service account client "foobarservice". I want this service
account client, to check his permissions on a "foobaresource" resource from
another client "otherservice".
myrealm
-- "foobarservice" Service Account Client
-- -- foobar resource (with always grant policy and permission)
-- "otherservice" Service Account Client
I did "client_credentials" login with the "foobarservice" and got an
access_token. With that token, I tried:
curl -X POST
http://keyclok:8080/auth/realms/myrealm/protocol/openid-connect/token \
-H "Authorization: Bearer {foobarservice_access_token}" \
-H "Content-Type: application/x-www-form-urlencoded" \
--data
"grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=otherservice&permission=foobaresource&response_mode=permissions"
And got 400 bad request with the not found error.
When i'm doing the same request with some user's token, it works well.
I looked into the code (my knowledge of JAVA is very basic) and it seems to
be because of this:
https://github.com/keycloak/keycloak/blob/f4f68438870768ac6cc18012cfae278f9ac1e163/services/src/main/java/org/keycloak/authorization/authorization/AuthorizationTokenService.java#L421
Is this the expected behavior? or a bug? Because when I used version 3.4 it
did work
Thanks,
Or
More information about the keycloak-user
mailing list