[keycloak-user] Requesting permission by resource name from another resource server results in "Resource Doesn't exist"

Pedro Igor Silva psilva at redhat.com
Tue Sep 10 16:27:00 EDT 2019 

If you mean resources owned by the resource server itself (the default
owner for any resource you create) then the server is able to get the right
resource by the name given that only a single resource with a given name
should exist.

On Tue, Sep 10, 2019 at 12:05 PM Or Harary <or at myobligo.com> wrote:

> Just another small question regarding this - I'm sending the "audience"
> parameter with the resource server id (client id) that I want to check the
> permissions on, why doesn't it use it to filter the correct resource server
> and find the resource with the name inside that resource server? why is it
> different to a user if the user also isn't the owner?
>
> *Or Harary*, VP R&D
> IL +972-54-5821080
>
>
> On Tue, Sep 10, 2019 at 5:55 PM Or Harary <or at myobligo.com> wrote:
>
>> Got it, thank you very much for the clarification.
>>
>> On Tue, Sep 10, 2019 at 5:50 PM Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>>> Hi,
>>>
>>> This is because resources can have same name but different owners. If
>>> the client is not acting on behalf of the user (user is subject in token)
>>> it won't be able to send permission requests using the resource name. If
>>> the client is acting on behalf of the user, then the server is capable of
>>> matching the correct resources.
>>>
>>> Regards.
>>> Pedro Igor
>>>
>>> On Tue, Sep 10, 2019 at 11:44 AM Or Harary <or at myobligo.com> wrote:
>>>
>>>> Hey,
>>>>
>>>> When I'm logged in as a user (grant_type=password), and I'm trying to
>>>> request a permission ticket for a resource by its name, and I'm using
>>>> the
>>>> token endpoint and grant type
>>>> "urn:ietf:params:oauth:grant-type:uma-ticket", everything works well.
>>>>
>>>> But if I'm using a resource server token (from a login using
>>>> client_credentials), and i'm trying to request permissions for a
>>>> resource
>>>> in another resource server, by the resource name, it results with the
>>>> following error:
>>>> {
>>>> error: 'invalid_resource',
>>>> error_description: 'Resource with id [my-resource-name] does not exist.'
>>>> }
>>>>
>>>> When I'm requesting the resource with its ID, everything works as
>>>> expected.
>>>>
>>>> In version 3.4 it worked well. I now checked it in version 6.0.1 and
>>>> version 7.0.0 and it doesn't work and it seems to be because of this
>>>> line:
>>>>
>>>> https://github.com/keycloak/keycloak/blob/9c2525ec1afb6737dd012d3c744a4098b787b3f7/services/src/main/java/org/keycloak/authorization/authorization/AuthorizationTokenService.java#L464
>>>>
>>>> Is this the expected behaviour or a bug?
>>>>
>>>> Thanks in advance,
>>>> Or
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>

More information about the keycloak-user mailing list