My tokens look like this. What if you "reboot", create a new client and
test it there.
{
"jti": "5c5a8",
"exp": 1542812146,
"nbf": 0,
"iat": 1542811846,
"iss": "https://fblah",
"aud": [
"account",
"opticks-rs"
],
"sub": "dee58194-6b2b31d",
"typ": "Bearer",
"azp": "rs",
"auth_time": 0,
"session_state": "a96958c1e5",
"preferred_username": "service-account-rs",
"email": "service-account-rs(a)placeholder.org",
"email_verified": false,
"acr": "1",
"realm_access": {
"roles": [
"offline_access",
"uma_authorization"
]
},
"resource_access": {
"account": {
"roles": [
"manage-account",
"manage-account-links",
"view-profile"
]
},
"opticks-rs": {
"roles": [
"uma_protection"
]
}
},
"scope": "email profile",
"clientId": "rs",
"clientHost": "0.0.0.0",
"clientAddress": "0.0.0.0",
"client_id": "rs",
"username": "service-account-rs",
"active": true
}
On Wed, 21 Nov 2018 at 15:41, Julien Deruere <deruere.julien(a)gmail.com>
wrote:
This is all I see
{
"jti": "6cfa6dd3-a3dd-4f5b-8560-f91832e7a35f",
"exp": 1542811409,
"nbf": 0,
"iat": 1542811109,
"iss": "http://my-keycloak:8080/auth/realms/my-realm",
"sub": "055a376e-d8eb-49cf-9d5f-a83226448131",
"typ": "Bearer",
"azp": "my-api-gateway",
"auth_time": 0,
"session_state": "10853e1d-ff27-4f4c-b9e1-31339774c5e4",
"acr": "1",
"scope": "profile email",
"clientId": "my-api-gateway",
"clientHost": "172.19.0.1",
"email_verified": false,
"preferred_username": "service-account-my-api-gateway",
"clientAddress": "172.19.0.1",
"email": "service-account-my-api-gateway(a)placeholder.org"
}
Le mer. 21 nov. 2018 à 05:57, Pedro Igor Silva <psilva(a)redhat.com> a
écrit :
> Yes, you should see a claim like this:
>
> "resource_access": {
> "{client_id}": {
> "roles": [
> "{client_role}"
> ]
> }
> }
>
> On Tue, Nov 20, 2018 at 5:22 PM Geoffrey Cleaves <geoff(a)opticks.io>
> wrote:
>
>> I understand that the client is supposed to have the role given the
>> Admin Console settings, but does the token show that role when you
>> introspect it?
>>
>> On Tue, Nov 20, 2018, 18:02 Julien Deruere <deruere.julien(a)gmail.com
>> wrote:
>>
>>> That's exactly what I did/checked. That's why I can't figure out
why
>>> it's
>>> not working :(
>>>
>>> Le mar. 20 nov. 2018 11:53, Pedro Igor Silva <psilva(a)redhat.com> a
>>> écrit :
>>>
>>> > This role should be a client role. For instance, if you are trying to
>>> > create resources for C1 the service account must be granted with
>>> client
>>> > role C1/uma-protection. See screenshot attached.
>>> >
>>> > Regards.
>>> >
>>> > On Tue, Nov 20, 2018 at 2:01 PM Julien Deruere <
>>> deruere.julien(a)gmail.com>
>>> > wrote:
>>> >
>>> >> In this case I'm using protection API:
>>> >>
>>> >> curl -X POST \
>>> >> -H "Content-Type: application/x-www-form-urlencoded"
\
>>> >> -d
>>>
'grant_type=client_credentials&client_id=${client_id}&client_secret=${client_secret}'
>>> \
>>> >> "
>>>
http://localhost:8080/auth/realms/${realm_name}/protocol/openid-connect/t...
>>> "
>>> >>
>>> >>
>>> >> I'm asking a token as a client, not as a user. And I checked,
my
>>> client
>>> >> has the uma_protection role in Service Account Role.
>>> >>
>>> >> I don't know where I'm wrong?
>>> >>
>>> >> Le mar. 20 nov. 2018 10:54, Pedro Igor Silva
<psilva(a)redhat.com> a
>>> >> écrit :
>>> >>
>>> >>> Hi,
>>> >>>
>>> >>> You need to grant uma_protection client scope (it should be
>>> available as
>>> >>> one of the roles associated with your resource server) to the
user
>>> to which
>>> >>> you are issuing tokens for.
>>> >>>
>>> >>> On Tue, Nov 20, 2018 at 1:52 PM Julien Deruere <
>>> deruere.julien(a)gmail.com>
>>> >>> wrote:
>>> >>>
>>> >>>> Any update on this?
>>> >>>> I got the exact same message when using POSTMAN :
>>> >>>>
>>> >>>> I fist do this (with grant_type=client_credentials):
>>> >>>>
>>>
http://localhost:8080/auth/realms/sg2b/protocol/openid-connect/token
>>> >>>>
>>> >>>> And then this with the token I received:
>>> >>>> GET
>>> >>>>
>>> >>>>
>>>
http://localhost:8080/auth/realms/sg2b/authz/protection/resource_set?type...
>>> >>>> Which answer me this:
>>> >>>> {
>>> >>>> "error": "invalid_scope",
>>> >>>> "error_description": "Requires
uma_protection scope."
>>> >>>> }
>>> >>>>
>>> >>> _______________________________________________
>>> >>>> keycloak-user mailing list
>>> >>>> keycloak-user(a)lists.jboss.org
>>> >>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> >>>>
>>> >>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>