Re: [keycloak-user] UMA vs OAuth

Pedro, thank you for the answer! You are right. We tried to apply UMA for simple OAuth scenario "Client Credential flow" and it was a mistake. We only need to get access token, which contains scopes. Yes, it's work in KeyCloak. But we have another problem: when we tried to request an access token with scopes which are not been existed or not been assigned to the client, as a result, we received the access token with fill "scope" parameters. Request: curl -X "POST" -d "client_id=testclient&client_secret=secret&grant_type= client_credentials&scope=unexisted_scope" http://keykcloak_server:8080/auth/realms/master/protocol/openid-connect/t... <http://10.44.32.19:8080/auth/realms/master/protocol/openid-connect/token> Response: { "access_token": "eyJhbG[...]1LQ", "token_type": "Bearer", "expires_in": 3600, *"scope": ""* } But, according to RFC 6749 The OAuth 2.0 Authorization Framework <https://tools.ietf.org/html/rfc6749> point, we must get the error " invalid_scope". 4.1.4 <https://tools.ietf.org/html/rfc6749#section-4.1.4>;. Access Token Response If the access token request is valid and authorized, the authorization server issues an access token and optional refresh token as described in Section 5.1 <https://tools.ietf.org/html/rfc6749#section-5.1>;. If the request client authentication failed or is invalid, the authorization server returns an error response as described in Section 5.2 <https://tools.ietf.org/html/rfc6749#section-5.2>;. and point 5.2 <https://tools.ietf.org/html/rfc6749#section-5.2>;. Error Response *.....* invalid_scope The requested scope is invalid, unknown, malformed, or exceeds the scope granted by the resource owner. We tried to find something in client settings for fixing problem, but nothing to find. Could you reply, is it a KeyCloak's error or we can't find some special "setting" in the interface? Best regards. Dmitry Pichugin. On Wed, 15 Aug 2018 at 14:31, Pedro Igor Silva <psilva(a)redhat.com&gt; wrote: > On Wed, Aug 15, 2018 at 7:35 AM, Dmitry Pichugin <pdomsk(a)gmail.com&gt; wrote: > >> Good day! >> >> We are using Keyclaok in our project, have installed version 4.2.1. >> >> Our task: >> >> - integration with API gateway and use KeyCloak for resources protect. >> >> We would be to use "Client Credentials Flow" from OAuth specs. But during >> version 4, KeyCloak does not support OAuth and is recommended to apply UMA >> 2.0. >> > > I'm not sure what you mean here. Where did you find this recommendation ? > > >> >> Yes, the differences between UMA and OAuth not huge, as a request and >> response(JWT token) formats, UMA has specific logic with RPT-token etc and >> UMA gives some advantages(we do not have the plan to use it). >> > > UMA is a standard mainly targeted for privacy (although there are other > benefits in using even if not for privacy), if you don't need users > managing their own resources, sharing, etc, yeah, you probably don't need > it. However, keep in mind that UMA support is one of the capabilities we > support in Keycloak Authorization Services, you can still use Keycloak to > enforce access to your protected resources using permissions > managed/granted by the server. > > >> >> We try to make a request in OAuth specs but got the error. >> >> Why does KeyCloak not support OAuth and UMA 2.0 same time? Do you have >> some >> specific reasons for this? >> > > >> >> Thank you! >> >> Best regards. Dmitry Pichugin. >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > >