I have users in my realm that I have assigned realm roles to:
realm roles: Master, Apprentice
one such user is
roles: uma_authorization, Apprentice
When I enable authorization on a client and
1. add a resource besides the default resource to it, say "Second Resource"
2. under Policies - Roles a role-based policy referencing the realm role
Apprentice that my user belongs to
Using the test user’s acess_token gotten from the realm token endpoint:
curl -X POST \
-H "Content-Type: application/x-www-form-urlencoded" \
and checking the entitlement API response for the client’s id and using the
bearer access token of the user as well as the payload for the Second
Resource, I always get status code forbidden
curl -v -X POST \
-H "Content-Type:application/json" \
-H 'Authorization: bearer userbearerrertoken' \
For the Default Resource, all is fine and I get back an RPT.
Am I missing something regarding the user’s needed roles? According to the
documentation, the role-level permission for the Second Resource should
lead to the user being authorized to access the second resource if any
realm role in a role-based permission for a resource holds.
I am using keycloak 2.5.1.