[keycloak-user] Requesting permission by resource name from another resource server results in "Resource Doesn't exist"
Pedro Igor Silva
psilva at redhat.com
Tue Sep 10 10:49:54 EDT 2019
Hi,
This is because resources can have same name but different owners. If the
client is not acting on behalf of the user (user is subject in token) it
won't be able to send permission requests using the resource name. If the
client is acting on behalf of the user, then the server is capable of
matching the correct resources.
Regards.
Pedro Igor
On Tue, Sep 10, 2019 at 11:44 AM Or Harary <or at myobligo.com> wrote:
> Hey,
>
> When I'm logged in as a user (grant_type=password), and I'm trying to
> request a permission ticket for a resource by its name, and I'm using the
> token endpoint and grant type
> "urn:ietf:params:oauth:grant-type:uma-ticket", everything works well.
>
> But if I'm using a resource server token (from a login using
> client_credentials), and i'm trying to request permissions for a resource
> in another resource server, by the resource name, it results with the
> following error:
> {
> error: 'invalid_resource',
> error_description: 'Resource with id [my-resource-name] does not exist.'
> }
>
> When I'm requesting the resource with its ID, everything works as expected.
>
> In version 3.4 it worked well. I now checked it in version 6.0.1 and
> version 7.0.0 and it doesn't work and it seems to be because of this line:
>
> https://github.com/keycloak/keycloak/blob/9c2525ec1afb6737dd012d3c744a4098b787b3f7/services/src/main/java/org/keycloak/authorization/authorization/AuthorizationTokenService.java#L464
>
> Is this the expected behaviour or a bug?
>
> Thanks in advance,
> Or
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list