[keycloak-user] Requesting permission by resource name from another resource server results in "Resource Doesn't exist"

Or Harary or at myobligo.com
Wed Sep 11 09:57:40 EDT 2019 

Sure. Created one -  https://issues.jboss.org/browse/KEYCLOAK-11352
I didn't know if to put it as a task for filtering by audience or as a bug
because it used to work. Hope I described it correctly.
Thanks!!

*Or Harary*, VP R&D
IL +972-54-5821080


On Wed, Sep 11, 2019 at 3:45 PM Pedro Igor Silva <psilva at redhat.com> wrote:

> I see now. I think we can improve that. Do you mind creating an issue ?
>
> On Tue, Sep 10, 2019 at 5:48 PM Or Harary <or at myobligo.com> wrote:
>
>> I meant resources owned by another resource server, but in the audience I
>> send the other resource server name.
>> And its granted access by a policy.
>> So for example, im requesting "resourceA", which is inside "clientA" and
>> owned by it, and im making the request with the token of "clientB", and in
>> the "audience" I'm sending "clientA".
>> That doesn't work =/
>> So why isn't the "audience" used to filter the correct client to find the
>> resource inside, using the name?
>>
>> Thanks again very much for the reply and the help! =]
>>
>> בתאריך יום ג׳, 10 בספט׳ 2019, 23:27, מאת Pedro Igor Silva ‏<
>> psilva at redhat.com>:
>>
>>> If you mean resources owned by the resource server itself (the default
>>> owner for any resource you create) then the server is able to get the right
>>> resource by the name given that only a single resource with a given name
>>> should exist.
>>>
>>> On Tue, Sep 10, 2019 at 12:05 PM Or Harary <or at myobligo.com> wrote:
>>>
>>>> Just another small question regarding this - I'm sending the "audience"
>>>> parameter with the resource server id (client id) that I want to check the
>>>> permissions on, why doesn't it use it to filter the correct resource server
>>>> and find the resource with the name inside that resource server? why is it
>>>> different to a user if the user also isn't the owner?
>>>>
>>>> *Or Harary*, VP R&D
>>>> IL +972-54-5821080
>>>>
>>>>
>>>> On Tue, Sep 10, 2019 at 5:55 PM Or Harary <or at myobligo.com> wrote:
>>>>
>>>>> Got it, thank you very much for the clarification.
>>>>>
>>>>> On Tue, Sep 10, 2019 at 5:50 PM Pedro Igor Silva <psilva at redhat.com>
>>>>> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> This is because resources can have same name but different owners. If
>>>>>> the client is not acting on behalf of the user (user is subject in token)
>>>>>> it won't be able to send permission requests using the resource name. If
>>>>>> the client is acting on behalf of the user, then the server is capable of
>>>>>> matching the correct resources.
>>>>>>
>>>>>> Regards.
>>>>>> Pedro Igor
>>>>>>
>>>>>> On Tue, Sep 10, 2019 at 11:44 AM Or Harary <or at myobligo.com> wrote:
>>>>>>
>>>>>>> Hey,
>>>>>>>
>>>>>>> When I'm logged in as a user (grant_type=password), and I'm trying to
>>>>>>> request a permission ticket for a resource by its name, and I'm
>>>>>>> using the
>>>>>>> token endpoint and grant type
>>>>>>> "urn:ietf:params:oauth:grant-type:uma-ticket", everything works well.
>>>>>>>
>>>>>>> But if I'm using a resource server token (from a login using
>>>>>>> client_credentials), and i'm trying to request permissions for a
>>>>>>> resource
>>>>>>> in another resource server, by the resource name, it results with the
>>>>>>> following error:
>>>>>>> {
>>>>>>> error: 'invalid_resource',
>>>>>>> error_description: 'Resource with id [my-resource-name] does not
>>>>>>> exist.'
>>>>>>> }
>>>>>>>
>>>>>>> When I'm requesting the resource with its ID, everything works as
>>>>>>> expected.
>>>>>>>
>>>>>>> In version 3.4 it worked well. I now checked it in version 6.0.1 and
>>>>>>> version 7.0.0 and it doesn't work and it seems to be because of this
>>>>>>> line:
>>>>>>>
>>>>>>> https://github.com/keycloak/keycloak/blob/9c2525ec1afb6737dd012d3c744a4098b787b3f7/services/src/main/java/org/keycloak/authorization/authorization/AuthorizationTokenService.java#L464
>>>>>>>
>>>>>>> Is this the expected behaviour or a bug?
>>>>>>>
>>>>>>> Thanks in advance,
>>>>>>> Or
>>>>>>> _______________________________________________
>>>>>>> keycloak-user mailing list
>>>>>>> keycloak-user at lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>
>>>>>>

More information about the keycloak-user mailing list