HI Pedro, Sure, my process is as follows: * Application forwards to Authorisation service to get a response type of ‘code’ * Authorisation service returns code and I forward it to the Token endpoint (no bearer) to get an access token * The Access Token contains the user authentication JWT at this point (contains Roles but not permissions) * Then I try to pass this access token as a ‘bearer’ to the token endpoint to get user permission but this is where I get the 500 Error described below Any pointers as to what I could be doing wrong would really be appreciated.. Kind regards, Mark From: Pedro Igor Silva [mailto:psilva@redhat.com] Sent: 22 June 2018 15:42 To: Mark McGuigan <Mark.McGuigan(a)360globalnet.com&gt; Cc: keycloak-dev(a)lists.jboss.org Subject: Re: [keycloak-dev] Accessing Token Endpoint with a User access token to get Permissions Hi, Are you sending the access token or ID token as a bearer ? Could you give more details on how you are obtaining the token ? On Wed, Jun 20, 2018 at 5:52 AM, Mark McGuigan <Mark.McGuigan@360globalnet.com<mailto:Mark.McGuigan@360globalnet.com>> wrote: Hi, Apologies if this email is incorrectly posted. I'm using the newly released Keycloak 4 and I've been able to successfully get an access token for a user from an access code posted back to my application. This doesn't contain any permissions on the token (Rightly so, only roles) I'm now trying to get an RPT with permissions from the of client application that reflect what the User is allowed to do. My request looks something like: POST /auth/realms/MyRealm/protocol/openid-connect/token HTTP/1.1 Host: localhost:8080 Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5c ... Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Postman-Token: 4054feaf-a9d7-48e2-99b6-eabc86bf8da5 grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Auma-ticket&audience=MyClient&permission=Default+Resource Where the Bearer is the generated access_token. However I'me getting a response of : 500 Internal Server Error { "error": "server_error", "error_description": "Unexpected error while evaluating permissions" } And a stack trace of: Unexpected error while evaluating permissions: java.lang.RuntimeException: Error while reading attributes from security token. at org.keycloak.authorization.common.KeycloakIdentity.<init>(KeycloakIdentity.java:139) at org.keycloak.authorization.common.KeycloakIdentity.<init>(KeycloakIdentity.java:68) at org.keycloak.authorization.authorization.AuthorizationTokenService.lambda$static$1(AuthorizationTokenService.java:124) at org.keycloak.authorization.authorization.AuthorizationTokenService.createEvaluationContext(AuthorizationTokenService.java:311) at org.keycloak.authorization.authorization.AuthorizationTokenService.authorize(AuthorizationTokenService.java:161) at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.permissionGrant(TokenEndpoint.java:1124) at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:190) ..... Caused by: java.lang.NullPointerException at org.keycloak.services.util.DefaultClientSessionContext.fromClientSessionScopeParameter(DefaultClientSessionContext.java:64) at org.keycloak.authorization.common.KeycloakIdentity.<init>(KeycloakIdentity.java:123) Any Ideas what I may be doing wrong? Any help appreciated. Regards, Mark _______________________________________________ keycloak-dev mailing list keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-dev

Hi Pedro, Please find the Realm export attached. Any help on this would be greatly appreciated. Regards, Mark From: Pedro Igor Silva [mailto:psilva@redhat.com] Sent: 22 June 2018 18:24 To: Mark McGuigan <Mark.McGuigan(a)360globalnet.com&gt; Cc: keycloak-dev(a)lists.jboss.org Subject: Re: [keycloak-dev] Accessing Token Endpoint with a User access token to get Permissions I'm not sure what is happening, this flow is similar to what we do in quickstarts and tests. Could you please export your realm and send me the file? On Fri, Jun 22, 2018 at 11:52 AM, Mark McGuigan <Mark.McGuigan@360globalnet.com<mailto:Mark.McGuigan@360globalnet.com>> wrote: HI Pedro, Sure, my process is as follows: * Application forwards to Authorisation service to get a response type of ‘code’ * Authorisation service returns code and I forward it to the Token endpoint (no bearer) to get an access token * The Access Token contains the user authentication JWT at this point (contains Roles but not permissions) * Then I try to pass this access token as a ‘bearer’ to the token endpoint to get user permission but this is where I get the 500 Error described below Any pointers as to what I could be doing wrong would really be appreciated.. Kind regards, Mark From: Pedro Igor Silva [mailto:psilva@redhat.com<mailto:psilva@redhat.com>] Sent: 22 June 2018 15:42 To: Mark McGuigan <Mark.McGuigan@360globalnet.com<mailto:Mark.McGuigan@360globalnet.com>> Cc: keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org> Subject: Re: [keycloak-dev] Accessing Token Endpoint with a User access token to get Permissions Hi, Are you sending the access token or ID token as a bearer ? Could you give more details on how you are obtaining the token ? On Wed, Jun 20, 2018 at 5:52 AM, Mark McGuigan <Mark.McGuigan@360globalnet.com<mailto:Mark.McGuigan@360globalnet.com>> wrote: Hi, Apologies if this email is incorrectly posted. I'm using the newly released Keycloak 4 and I've been able to successfully get an access token for a user from an access code posted back to my application. This doesn't contain any permissions on the token (Rightly so, only roles) I'm now trying to get an RPT with permissions from the of client application that reflect what the User is allowed to do. My request looks something like: POST /auth/realms/MyRealm/protocol/openid-connect/token HTTP/1.1 Host: localhost:8080 Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5c ... Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Postman-Token: 4054feaf-a9d7-48e2-99b6-eabc86bf8da5 grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Auma-ticket&audience=MyClient&permission=Default+Resource Where the Bearer is the generated access_token. However I'me getting a response of : 500 Internal Server Error { "error": "server_error", "error_description": "Unexpected error while evaluating permissions" } And a stack trace of: Unexpected error while evaluating permissions: java.lang.RuntimeException: Error while reading attributes from security token. at org.keycloak.authorization.common.KeycloakIdentity.<init>(KeycloakIdentity.java:139) at org.keycloak.authorization.common.KeycloakIdentity.<init>(KeycloakIdentity.java:68) at org.keycloak.authorization.authorization.AuthorizationTokenService.lambda$static$1(AuthorizationTokenService.java:124) at org.keycloak.authorization.authorization.AuthorizationTokenService.createEvaluationContext(AuthorizationTokenService.java:311) at org.keycloak.authorization.authorization.AuthorizationTokenService.authorize(AuthorizationTokenService.java:161) at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.permissionGrant(TokenEndpoint.java:1124) at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:190) ..... Caused by: java.lang.NullPointerException at org.keycloak.services.util.DefaultClientSessionContext.fromClientSessionScopeParameter(DefaultClientSessionContext.java:64) at org.keycloak.authorization.common.KeycloakIdentity.<init>(KeycloakIdentity.java:123) Any Ideas what I may be doing wrong? Any help appreciated. Regards, Mark _______________________________________________ keycloak-dev mailing list keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-dev