Hi
I am trying to stack all permissions from two different confidential
clients via entitelments API.
Steps:
1. Get access token for public client
2. Get entitlements for client 1:
Authorization: Bearer access_token
grant_type: urn:ietf:params:oauth:grant-type:uma-ticket
audience: client1
Returns RPT with all resources owned by user on client1. Works as expected.
3. Get entitlements for client 2
Authorization: Bearer access_token
grant_type: urn:ietf:params:oauth:grant-type:uma-ticket
audience: client2
rpt: {{rpt from step 2}}
Response: forbidden 403
{
"error": "access_denied",
"error_description": "not_authorized"
}
If I remove rpt parameter I get all permissions for client 2 as
expected. What is the reason for 403? Why would rpt param result in 403,
isn't it is supposed to be there just to stack additional permissions?
Must be some additional checks which I am not aware of. What are they?
reference doc:
https://www.keycloak.org/docs/4.6/authorization_services/#_service_obtain...
Best regards