[keycloak-user] Requesting permission by resource name from another resource server results in "Resource Doesn't exist"

[Or Harary]

Got it, thank you very much for the clarification.

On Tue, Sep 10, 2019 at 5:50 PM Pedro Igor Silva <psilva at redhat.com> wrote:

> Hi,
>
> This is because resources can have same name but different owners. If the
> client is not acting on behalf of the user (user is subject in token) it
> won't be able to send permission requests using the resource name. If the
> client is acting on behalf of the user, then the server is capable of
> matching the correct resources.
>
> Regards.
> Pedro Igor
>
> On Tue, Sep 10, 2019 at 11:44 AM Or Harary <or at myobligo.com> wrote:
>
>> Hey,
>>
>> When I'm logged in as a user (grant_type=password), and I'm trying to
>> request a permission ticket for a resource by its name, and I'm using the
>> token endpoint and grant type
>> "urn:ietf:params:oauth:grant-type:uma-ticket", everything works well.
>>
>> But if I'm using a resource server token (from a login using
>> client_credentials), and i'm trying to request permissions for a resource
>> in another resource server, by the resource name, it results with the
>> following error:
>> {
>> error: 'invalid_resource',
>> error_description: 'Resource with id [my-resource-name] does not exist.'
>> }
>>
>> When I'm requesting the resource with its ID, everything works as
>> expected.
>>
>> In version 3.4 it worked well. I now checked it in version 6.0.1 and
>> version 7.0.0 and it doesn't work and it seems to be because of this line:
>>
>> https://github.com/keycloak/keycloak/blob/9c2525ec1afb6737dd012d3c744a4098b787b3f7/services/src/main/java/org/keycloak/authorization/authorization/AuthorizationTokenService.java#L464
>>
>> Is this the expected behaviour or a bug?
>>
>> Thanks in advance,
>> Or
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>