Yes, you should see a claim like this:
"resource_access": {
"{client_id}": {
"roles": [
"{client_role}"
]
}
}
On Tue, Nov 20, 2018 at 5:22 PM Geoffrey Cleaves <geoff(a)opticks.io> wrote:
I understand that the client is supposed to have the role given the
Admin
Console settings, but does the token show that role when you introspect it?
On Tue, Nov 20, 2018, 18:02 Julien Deruere <deruere.julien(a)gmail.com
wrote:
> That's exactly what I did/checked. That's why I can't figure out why
it's
> not working :(
>
> Le mar. 20 nov. 2018 11:53, Pedro Igor Silva <psilva(a)redhat.com> a écrit
> :
>
> > This role should be a client role. For instance, if you are trying to
> > create resources for C1 the service account must be granted with client
> > role C1/uma-protection. See screenshot attached.
> >
> > Regards.
> >
> > On Tue, Nov 20, 2018 at 2:01 PM Julien Deruere <
> deruere.julien(a)gmail.com>
> > wrote:
> >
> >> In this case I'm using protection API:
> >>
> >> curl -X POST \
> >> -H "Content-Type: application/x-www-form-urlencoded" \
> >> -d
>
'grant_type=client_credentials&client_id=${client_id}&client_secret=${client_secret}'
> \
> >> "
>
http://localhost:8080/auth/realms/${realm_name}/protocol/openid-connect/t...
> "
> >>
> >>
> >> I'm asking a token as a client, not as a user. And I checked, my client
> >> has the uma_protection role in Service Account Role.
> >>
> >> I don't know where I'm wrong?
> >>
> >> Le mar. 20 nov. 2018 10:54, Pedro Igor Silva <psilva(a)redhat.com> a
> >> écrit :
> >>
> >>> Hi,
> >>>
> >>> You need to grant uma_protection client scope (it should be available
> as
> >>> one of the roles associated with your resource server) to the user to
> which
> >>> you are issuing tokens for.
> >>>
> >>> On Tue, Nov 20, 2018 at 1:52 PM Julien Deruere <
> deruere.julien(a)gmail.com>
> >>> wrote:
> >>>
> >>>> Any update on this?
> >>>> I got the exact same message when using POSTMAN :
> >>>>
> >>>> I fist do this (with grant_type=client_credentials):
> >>>>
http://localhost:8080/auth/realms/sg2b/protocol/openid-connect/token
> >>>>
> >>>> And then this with the token I received:
> >>>> GET
> >>>>
> >>>>
>
http://localhost:8080/auth/realms/sg2b/authz/protection/resource_set?type...
> >>>> Which answer me this:
> >>>> {
> >>>> "error": "invalid_scope",
> >>>> "error_description": "Requires uma_protection
scope."
> >>>> }
> >>>>
> >>> _______________________________________________
> >>>> keycloak-user mailing list
> >>>> keycloak-user(a)lists.jboss.org
> >>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>>
> >>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-user