[keycloak-user] Requesting permission by resource name from another resource server results in "Resource Doesn't exist"

Tue Sep 10 16:48:42 EDT 2019

I meant resources owned by another resource server, but in the audience I
send the other resource server name.
And its granted access by a policy.
So for example, im requesting "resourceA", which is inside "clientA" and
owned by it, and im making the request with the token of "clientB", and in
the "audience" I'm sending "clientA".
That doesn't work =/
So why isn't the "audience" used to filter the correct client to find the
resource inside, using the name?

Thanks again very much for the reply and the help! =]

בתאריך יום ג׳, 10 בספט׳ 2019, 23:27, מאת Pedro Igor Silva ‏<
psilva at redhat.com>:

> If you mean resources owned by the resource server itself (the default
> owner for any resource you create) then the server is able to get the right
> resource by the name given that only a single resource with a given name
> should exist.
>
> On Tue, Sep 10, 2019 at 12:05 PM Or Harary <or at myobligo.com> wrote:
>
>> Just another small question regarding this - I'm sending the "audience"
>> parameter with the resource server id (client id) that I want to check the
>> permissions on, why doesn't it use it to filter the correct resource server
>> and find the resource with the name inside that resource server? why is it
>> different to a user if the user also isn't the owner?
>>
>> *Or Harary*, VP R&D
>> IL +972-54-5821080
>>
>>
>> On Tue, Sep 10, 2019 at 5:55 PM Or Harary <or at myobligo.com> wrote:
>>
>>> Got it, thank you very much for the clarification.
>>>
>>> On Tue, Sep 10, 2019 at 5:50 PM Pedro Igor Silva <psilva at redhat.com>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> This is because resources can have same name but different owners. If
>>>> the client is not acting on behalf of the user (user is subject in token)
>>>> it won't be able to send permission requests using the resource name. If
>>>> the client is acting on behalf of the user, then the server is capable of
>>>> matching the correct resources.
>>>>
>>>> Regards.
>>>> Pedro Igor
>>>>
>>>> On Tue, Sep 10, 2019 at 11:44 AM Or Harary <or at myobligo.com> wrote:
>>>>
>>>>> Hey,
>>>>>
>>>>> When I'm logged in as a user (grant_type=password), and I'm trying to
>>>>> request a permission ticket for a resource by its name, and I'm using
>>>>> the
>>>>> token endpoint and grant type
>>>>> "urn:ietf:params:oauth:grant-type:uma-ticket", everything works well.
>>>>>
>>>>> But if I'm using a resource server token (from a login using
>>>>> client_credentials), and i'm trying to request permissions for a
>>>>> resource
>>>>> in another resource server, by the resource name, it results with the
>>>>> following error:
>>>>> {
>>>>> error: 'invalid_resource',
>>>>> error_description: 'Resource with id [my-resource-name] does not
>>>>> exist.'
>>>>> }
>>>>>
>>>>> When I'm requesting the resource with its ID, everything works as
>>>>> expected.
>>>>>
>>>>> In version 3.4 it worked well. I now checked it in version 6.0.1 and
>>>>> version 7.0.0 and it doesn't work and it seems to be because of this
>>>>> line:
>>>>>
>>>>> https://github.com/keycloak/keycloak/blob/9c2525ec1afb6737dd012d3c744a4098b787b3f7/services/src/main/java/org/keycloak/authorization/authorization/AuthorizationTokenService.java#L464
>>>>>
>>>>> Is this the expected behaviour or a bug?
>>>>>
>>>>> Thanks in advance,
>>>>> Or
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>