[keycloak-user] Requesting permission by resource name from another resource server results in "Resource Doesn't exist"
Or Harary
or at myobligo.com
Tue Sep 10 11:05:27 EDT 2019
Just another small question regarding this - I'm sending the "audience"
parameter with the resource server id (client id) that I want to check the
permissions on, why doesn't it use it to filter the correct resource server
and find the resource with the name inside that resource server? why is it
different to a user if the user also isn't the owner?
*Or Harary*, VP R&D
IL +972-54-5821080
On Tue, Sep 10, 2019 at 5:55 PM Or Harary <or at myobligo.com> wrote:
> Got it, thank you very much for the clarification.
>
> On Tue, Sep 10, 2019 at 5:50 PM Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> Hi,
>>
>> This is because resources can have same name but different owners. If the
>> client is not acting on behalf of the user (user is subject in token) it
>> won't be able to send permission requests using the resource name. If the
>> client is acting on behalf of the user, then the server is capable of
>> matching the correct resources.
>>
>> Regards.
>> Pedro Igor
>>
>> On Tue, Sep 10, 2019 at 11:44 AM Or Harary <or at myobligo.com> wrote:
>>
>>> Hey,
>>>
>>> When I'm logged in as a user (grant_type=password), and I'm trying to
>>> request a permission ticket for a resource by its name, and I'm using the
>>> token endpoint and grant type
>>> "urn:ietf:params:oauth:grant-type:uma-ticket", everything works well.
>>>
>>> But if I'm using a resource server token (from a login using
>>> client_credentials), and i'm trying to request permissions for a resource
>>> in another resource server, by the resource name, it results with the
>>> following error:
>>> {
>>> error: 'invalid_resource',
>>> error_description: 'Resource with id [my-resource-name] does not exist.'
>>> }
>>>
>>> When I'm requesting the resource with its ID, everything works as
>>> expected.
>>>
>>> In version 3.4 it worked well. I now checked it in version 6.0.1 and
>>> version 7.0.0 and it doesn't work and it seems to be because of this
>>> line:
>>>
>>> https://github.com/keycloak/keycloak/blob/9c2525ec1afb6737dd012d3c744a4098b787b3f7/services/src/main/java/org/keycloak/authorization/authorization/AuthorizationTokenService.java#L464
>>>
>>> Is this the expected behaviour or a bug?
>>>
>>> Thanks in advance,
>>> Or
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
More information about the keycloak-user
mailing list