Re: [keycloak-user] Requires uma_protection scope

This role should be a client role. For instance, if you are trying to create resources for C1 the service account must be granted with client role C1/uma-protection. See screenshot attached. Regards. On Tue, Nov 20, 2018 at 2:01 PM Julien Deruere <deruere.julien(a)gmail.com&gt; wrote: > In this case I'm using protection API: > > curl -X POST \ > -H "Content-Type: application/x-www-form-urlencoded" \ > -d 'grant_type=client_credentials&client_id=${client_id}&client_secret=${client_secret}' \ > "http://localhost:8080/auth/realms/${realm_name}/protocol/openid-connect/token" > > > I'm asking a token as a client, not as a user. And I checked, my client > has the uma_protection role in Service Account Role. > > I don't know where I'm wrong? > > Le mar. 20 nov. 2018 10:54, Pedro Igor Silva <psilva(a)redhat.com&gt; a > écrit : > >> Hi, >> >> You need to grant uma_protection client scope (it should be available as >> one of the roles associated with your resource server) to the user to which >> you are issuing tokens for. >> >> On Tue, Nov 20, 2018 at 1:52 PM Julien Deruere <deruere.julien(a)gmail.com&gt; >> wrote: >> >>> Any update on this? >>> I got the exact same message when using POSTMAN : >>> >>> I fist do this (with grant_type=client_credentials): >>> http://localhost:8080/auth/realms/sg2b/protocol/openid-connect/token >>> >>> And then this with the token I received: >>> GET >>> >>> http://localhost:8080/auth/realms/sg2b/authz/protection/resource_set?type... >>> Which answer me this: >>> { >>> "error": "invalid_scope", >>> "error_description": "Requires uma_protection scope." >>> } >>> >> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user(a)lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>