Re: [keycloak-user] Can't request resource permissions by resource name by service account client and not user
Please help anyone? Here is another example:
I have 2 clients - "ClientA" and "ClientB". Both of them are
confidential
resource servers.
"ClientA" has "ResourceA", which is owned by "ClientA", and
it has a
pemission to grant access to everyone. (script - $evaluation.grant())
I'm getting a bearer token for "ClientB" using client_credentials, and then
i'm trying to check if "ClientB" has permissions to access
"ResourceA" in
"ClientA" like this:
curl -X POST
http://keycloak:8080/auth/realms/myrealm/protocol/openid-connect/token \
-H "Authorization: Bearer {access_token}" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d
"grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=ClientA&permission=ResourceA&response_mode=permissions"
This gives me a resource not found error.
But, if I search by the ID or the resource, in the "permission" param, like
this: "permission={RESOURCE_UUID}", it does work.
Shouldn't it be possible check by the name, if the check by id works?
On Thu, Jan 3, 2019 at 6:24 PM Or Harary <or(a)myobligo.com> wrote:
Hey,
I'm using version 4.8.1 and i'm trying to check resource permissions on
another client with the token endpoint, by the resource name, with a
client's access token, and i'm getting "Resource with id [{resourceId}]
does not exist".
I have a service account client "foobarservice". I want this service
account client, to check his permissions on a "foobaresource" resource from
another client "otherservice".
myrealm
-- "foobarservice" Service Account Client
-- -- foobar resource (with always grant policy and permission)
-- "otherservice" Service Account Client
I did "client_credentials" login with the "foobarservice" and got an
access_token. With that token, I tried:
curl -X POST
http://keyclok:8080/auth/realms/myrealm/protocol/openid-connect/token \
-H "Authorization: Bearer {foobarservice_access_token}" \
-H "Content-Type: application/x-www-form-urlencoded" \
--data
"grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=otherservice&permission=foobaresource&response_mode=permissions"
And got 400 bad request with the not found error.
When i'm doing the same request with some user's token, it works well.
I looked into the code (my knowledge of JAVA is very basic) and it seems
to be because of this:
https://github.com/keycloak/keycloak/blob/f4f68438870768ac6cc18012cfae278...
Is this the expected behavior? or a bug? Because when I used version 3.4
it did work
Thanks,
Or