[keycloak-user] Requesting permission by resource name from another resource server results in "Resource Doesn't exist"

Wed Sep 11 08:45:25 EDT 2019

I see now. I think we can improve that. Do you mind creating an issue ?

On Tue, Sep 10, 2019 at 5:48 PM Or Harary <or at myobligo.com> wrote:

> I meant resources owned by another resource server, but in the audience I
> send the other resource server name.
> And its granted access by a policy.
> So for example, im requesting "resourceA", which is inside "clientA" and
> owned by it, and im making the request with the token of "clientB", and in
> the "audience" I'm sending "clientA".
> That doesn't work =/
> So why isn't the "audience" used to filter the correct client to find the
> resource inside, using the name?
>
> Thanks again very much for the reply and the help! =]
>
> בתאריך יום ג׳, 10 בספט׳ 2019, 23:27, מאת Pedro Igor Silva ‏<
> psilva at redhat.com>:
>
>> If you mean resources owned by the resource server itself (the default
>> owner for any resource you create) then the server is able to get the right
>> resource by the name given that only a single resource with a given name
>> should exist.
>>
>> On Tue, Sep 10, 2019 at 12:05 PM Or Harary <or at myobligo.com> wrote:
>>
>>> Just another small question regarding this - I'm sending the "audience"
>>> parameter with the resource server id (client id) that I want to check the
>>> permissions on, why doesn't it use it to filter the correct resource server
>>> and find the resource with the name inside that resource server? why is it
>>> different to a user if the user also isn't the owner?
>>>
>>> *Or Harary*, VP R&D
>>> IL +972-54-5821080
>>>
>>>
>>> On Tue, Sep 10, 2019 at 5:55 PM Or Harary <or at myobligo.com> wrote:
>>>
>>>> Got it, thank you very much for the clarification.
>>>>
>>>> On Tue, Sep 10, 2019 at 5:50 PM Pedro Igor Silva <psilva at redhat.com>
>>>> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> This is because resources can have same name but different owners. If
>>>>> the client is not acting on behalf of the user (user is subject in token)
>>>>> it won't be able to send permission requests using the resource name. If
>>>>> the client is acting on behalf of the user, then the server is capable of
>>>>> matching the correct resources.
>>>>>
>>>>> Regards.
>>>>> Pedro Igor
>>>>>
>>>>> On Tue, Sep 10, 2019 at 11:44 AM Or Harary <or at myobligo.com> wrote:
>>>>>
>>>>>> Hey,
>>>>>>
>>>>>> When I'm logged in as a user (grant_type=password), and I'm trying to
>>>>>> request a permission ticket for a resource by its name, and I'm using
>>>>>> the
>>>>>> token endpoint and grant type
>>>>>> "urn:ietf:params:oauth:grant-type:uma-ticket", everything works well.
>>>>>>
>>>>>> But if I'm using a resource server token (from a login using
>>>>>> client_credentials), and i'm trying to request permissions for a
>>>>>> resource
>>>>>> in another resource server, by the resource name, it results with the
>>>>>> following error:
>>>>>> {
>>>>>> error: 'invalid_resource',
>>>>>> error_description: 'Resource with id [my-resource-name] does not
>>>>>> exist.'
>>>>>> }
>>>>>>
>>>>>> When I'm requesting the resource with its ID, everything works as
>>>>>> expected.
>>>>>>
>>>>>> In version 3.4 it worked well. I now checked it in version 6.0.1 and
>>>>>> version 7.0.0 and it doesn't work and it seems to be because of this
>>>>>> line:
>>>>>>
>>>>>> https://github.com/keycloak/keycloak/blob/9c2525ec1afb6737dd012d3c744a4098b787b3f7/services/src/main/java/org/keycloak/authorization/authorization/AuthorizationTokenService.java#L464
>>>>>>
>>>>>> Is this the expected behaviour or a bug?
>>>>>>
>>>>>> Thanks in advance,
>>>>>> Or
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>>