Authorization: Upgrading to keycloak 4.4 results in {"error":"invalid_scope", "error_description":"Requires uma_protection scope."}
11 p.m.
I have upgraded from keycloak 4.3 to keycloak 4.4. I ahve exported the
realm from 4.3 and imported in 4.4.
The "policy-enforcer": {} in keycloak.json results in *403
:
{"error":"invalid_scope","error_description":"Requires
uma_protection
scope."}*
In keycloak 4.3 everything works fine. I have exported realm and used with
keycloak 4.4, but the policy-enforcer does not work. Is there some extra
step that is needed apart from exporting and importing json?
If I remove policy-enforcer line the app works fine.
*APP code:*
final String KEYCLOAK_JSON = //json path;
InputStream config =
Thread.currentThread().getContextClassLoader().getResourceAsStream(KEYCLOAK_JSON);
KeycloakInstalled keycloak = new KeycloakInstalled(config);
*Stack trace thrown at the time of starting app:*
java.lang.RuntimeException: Could not find resource
Logged in...
at
org.keycloak.authorization.client.util.Throwables.handleWrapException(Throwables.java:45)
at
org.keycloak.authorization.client.resource.ProtectedResource.findAll(ProtectedResource.java:228)
at
org.keycloak.adapters.authorization.PolicyEnforcer.configureAllPathsForResourceServer(PolicyEnforcer.java:225)
at
org.keycloak.adapters.authorization.PolicyEnforcer.configurePaths(PolicyEnforcer.java:157)
at
org.keycloak.adapters.authorization.PolicyEnforcer.<init>(PolicyEnforcer.java:77)
at
org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(KeycloakDeploymentBuilder.java:143)
at
org.keycloak.adapters.KeycloakDeploymentBuilder.build(KeycloakDeploymentBuilder.java:152)
at
org.keycloak.adapters.installed.KeycloakInstalled.<init>(KeycloakInstalled.java:94)
at
com.cadence.adw.common.auth.AuthenticationTest.main(AuthenticationTest.java:138)
Caused by: org.keycloak.authorization.client.AuthorizationDeniedException:
org.keycloak.authorization.client.util.HttpResponseException: Unexpected
response from server: 403 / Forbidden / Response from server:
{"error":"invalid_scope","error_description":"Requires
uma_protection
scope."}
at
org.keycloak.authorization.client.util.Throwables.handleAndWrapHttpResponseException(Throwables.java:96)
at
org.keycloak.authorization.client.util.Throwables.handleWrapException(Throwables.java:42)
at
org.keycloak.authorization.client.util.Throwables.retryAndWrapExceptionIfNecessary(Throwables.java:87)
at
org.keycloak.authorization.client.resource.ProtectedResource.find(ProtectedResource.java:181)
at
org.keycloak.authorization.client.resource.ProtectedResource.findAll(ProtectedResource.java:226)
... 7 more
Caused by: org.keycloak.authorization.client.util.HttpResponseException:
Unexpected response from server: 403 / Forbidden / Response from server:
{"error":"invalid_scope","error_description":"Requires
uma_protection
scope."}
at
org.keycloak.authorization.client.util.HttpMethod.execute(HttpMethod.java:95)
at
org.keycloak.authorization.client.util.HttpMethodResponse$2.execute(HttpMethodResponse.java:50)
at
org.keycloak.authorization.client.resource.ProtectedResource$4.call(ProtectedResource.java:175)
at
org.keycloak.authorization.client.resource.ProtectedResource$4.call(ProtectedResource.java:172)
at
org.keycloak.authorization.client.resource.ProtectedResource.find(ProtectedResource.java:179)
... 8 more
3:42 a.m.
Please, check if your client is granted with a "uma_protection" client
role. I think client roles were not being exported correctly and we fixed
that in the latest release.
On Thu, Oct 4, 2018 at 11:12 AM Bruce Wings <testoauth55(a)gmail.com> wrote:
I have upgraded from keycloak 4.3 to keycloak 4.4. I ahve exported
the
realm from 4.3 and imported in 4.4.
The "policy-enforcer": {} in keycloak.json results in *403
:
{"error":"invalid_scope","error_description":"Requires
uma_protection
scope."}*
In keycloak 4.3 everything works fine. I have exported realm and used with
keycloak 4.4, but the policy-enforcer does not work. Is there some extra
step that is needed apart from exporting and importing json?
If I remove policy-enforcer line the app works fine.
*APP code:*
final String KEYCLOAK_JSON = //json path;
InputStream config =
Thread.currentThread().getContextClassLoader().getResourceAsStream(KEYCLOAK_JSON);
KeycloakInstalled keycloak = new KeycloakInstalled(config);
*Stack trace thrown at the time of starting app:*
java.lang.RuntimeException: Could not find resource
Logged in...
at
org.keycloak.authorization.client.util.Throwables.handleWrapException(Throwables.java:45)
at
org.keycloak.authorization.client.resource.ProtectedResource.findAll(ProtectedResource.java:228)
at
org.keycloak.adapters.authorization.PolicyEnforcer.configureAllPathsForResourceServer(PolicyEnforcer.java:225)
at
org.keycloak.adapters.authorization.PolicyEnforcer.configurePaths(PolicyEnforcer.java:157)
at
org.keycloak.adapters.authorization.PolicyEnforcer.<init>(PolicyEnforcer.java:77)
at
org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(KeycloakDeploymentBuilder.java:143)
at
org.keycloak.adapters.KeycloakDeploymentBuilder.build(KeycloakDeploymentBuilder.java:152)
at
org.keycloak.adapters.installed.KeycloakInstalled.<init>(KeycloakInstalled.java:94)
at
com.cadence.adw.common.auth.AuthenticationTest.main(AuthenticationTest.java:138)
Caused by: org.keycloak.authorization.client.AuthorizationDeniedException:
org.keycloak.authorization.client.util.HttpResponseException: Unexpected
response from server: 403 / Forbidden / Response from server:
{"error":"invalid_scope","error_description":"Requires
uma_protection
scope."}
at
org.keycloak.authorization.client.util.Throwables.handleAndWrapHttpResponseException(Throwables.java:96)
at
org.keycloak.authorization.client.util.Throwables.handleWrapException(Throwables.java:42)
at
org.keycloak.authorization.client.util.Throwables.retryAndWrapExceptionIfNecessary(Throwables.java:87)
at
org.keycloak.authorization.client.resource.ProtectedResource.find(ProtectedResource.java:181)
at
org.keycloak.authorization.client.resource.ProtectedResource.findAll(ProtectedResource.java:226)
... 7 more
Caused by: org.keycloak.authorization.client.util.HttpResponseException:
Unexpected response from server: 403 / Forbidden / Response from server:
{"error":"invalid_scope","error_description":"Requires
uma_protection
scope."}
at
org.keycloak.authorization.client.util.HttpMethod.execute(HttpMethod.java:95)
at
org.keycloak.authorization.client.util.HttpMethodResponse$2.execute(HttpMethodResponse.java:50)
at
org.keycloak.authorization.client.resource.ProtectedResource$4.call(ProtectedResource.java:175)
at
org.keycloak.authorization.client.resource.ProtectedResource$4.call(ProtectedResource.java:172)
at
org.keycloak.authorization.client.resource.ProtectedResource.find(ProtectedResource.java:179)
... 8 more
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
10:01 a.m.
uma_authorization
<http://localhost:9080/auth/admin/master/console/#/realms/Cadence/roles/04...
role is present in both the installations (4.3 and 4.4)*. uma_protection *role
is *not *present in any.
Is it the case that keycloak 4.3 used to work without* uma_protection *and
4.4 needs* uma_protection *role*?*
On Fri, Oct 5, 2018 at 12:12 AM Pedro Igor Silva <psilva(a)redhat.com> wrote:
Please, check if your client is granted with a
"uma_protection" client
role. I think client roles were not being exported correctly and we fixed
that in the latest release.
On Thu, Oct 4, 2018 at 11:12 AM Bruce Wings <testoauth55(a)gmail.com> wrote:
> I have upgraded from keycloak 4.3 to keycloak 4.4. I ahve exported the
> realm from 4.3 and imported in 4.4.
>
> The "policy-enforcer": {} in keycloak.json results in *403
> :
{"error":"invalid_scope","error_description":"Requires
uma_protection
> scope."}*
>
> In keycloak 4.3 everything works fine. I have exported realm and used with
> keycloak 4.4, but the policy-enforcer does not work. Is there some extra
> step that is needed apart from exporting and importing json?
> If I remove policy-enforcer line the app works fine.
>
> *APP code:*
> final String KEYCLOAK_JSON = //json path;
> InputStream config =
>
> Thread.currentThread().getContextClassLoader().getResourceAsStream(KEYCLOAK_JSON);
> KeycloakInstalled keycloak = new KeycloakInstalled(config);
>
>
>
> *Stack trace thrown at the time of starting app:*
>
> java.lang.RuntimeException: Could not find resource
> Logged in...
> at
>
>
org.keycloak.authorization.client.util.Throwables.handleWrapException(Throwables.java:45)
> at
>
>
org.keycloak.authorization.client.resource.ProtectedResource.findAll(ProtectedResource.java:228)
> at
>
>
org.keycloak.adapters.authorization.PolicyEnforcer.configureAllPathsForResourceServer(PolicyEnforcer.java:225)
> at
>
>
org.keycloak.adapters.authorization.PolicyEnforcer.configurePaths(PolicyEnforcer.java:157)
> at
>
>
org.keycloak.adapters.authorization.PolicyEnforcer.<init>(PolicyEnforcer.java:77)
> at
>
>
org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(KeycloakDeploymentBuilder.java:143)
> at
>
>
org.keycloak.adapters.KeycloakDeploymentBuilder.build(KeycloakDeploymentBuilder.java:152)
> at
>
>
org.keycloak.adapters.installed.KeycloakInstalled.<init>(KeycloakInstalled.java:94)
> at
>
> com.cadence.adw.common.auth.AuthenticationTest.main(AuthenticationTest.java:138)
> Caused by: org.keycloak.authorization.client.AuthorizationDeniedException:
> org.keycloak.authorization.client.util.HttpResponseException: Unexpected
> response from server: 403 / Forbidden / Response from server:
>
{"error":"invalid_scope","error_description":"Requires
uma_protection
> scope."}
> at
>
>
org.keycloak.authorization.client.util.Throwables.handleAndWrapHttpResponseException(Throwables.java:96)
> at
>
>
org.keycloak.authorization.client.util.Throwables.handleWrapException(Throwables.java:42)
> at
>
>
org.keycloak.authorization.client.util.Throwables.retryAndWrapExceptionIfNecessary(Throwables.java:87)
> at
>
>
org.keycloak.authorization.client.resource.ProtectedResource.find(ProtectedResource.java:181)
> at
>
>
org.keycloak.authorization.client.resource.ProtectedResource.findAll(ProtectedResource.java:226)
> ... 7 more
> Caused by: org.keycloak.authorization.client.util.HttpResponseException:
> Unexpected response from server: 403 / Forbidden / Response from server:
>
{"error":"invalid_scope","error_description":"Requires
uma_protection
> scope."}
> at
>
> org.keycloak.authorization.client.util.HttpMethod.execute(HttpMethod.java:95)
> at
>
>
org.keycloak.authorization.client.util.HttpMethodResponse$2.execute(HttpMethodResponse.java:50)
> at
>
>
org.keycloak.authorization.client.resource.ProtectedResource$4.call(ProtectedResource.java:175)
> at
>
>
org.keycloak.authorization.client.resource.ProtectedResource$4.call(ProtectedResource.java:172)
> at
>
>
org.keycloak.authorization.client.resource.ProtectedResource.find(ProtectedResource.java:179)
> ... 8 more
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
10:11 a.m.
Secondly,
I manually added uma_protection role to my client in keycloak 4.4 like
this, but I still get the same exception. Is this role supposed to be added
in a different way?
[image: image.png]
Firstly,
uma_authorization
<http://localhost:9080/auth/admin/master/console/#/realms/Cadence/roles/04...
role is present in both the installations (4.3 and 4.4)*. uma_protection *role
is *not *present in any.
Is it the case that keycloak 4.3 used to work without* uma_protection *and
4.4 needs* uma_protection *role*?*
On Fri, Oct 5, 2018 at 6:31 AM Bruce Wings <testoauth55(a)gmail.com> wrote:
uma_authorization
<http://localhost:9080/auth/admin/master/console/#/realms/Cadence/roles/04...
role is present in both the installations (4.3 and 4.4)*. uma_protection
*role is *not *present in any.
Is it the case that keycloak 4.3 used to work without* uma_protection *and
4.4 needs* uma_protection *role*?*
On Fri, Oct 5, 2018 at 12:12 AM Pedro Igor Silva <psilva(a)redhat.com>
wrote:
> Please, check if your client is granted with a "uma_protection" client
> role. I think client roles were not being exported correctly and we fixed
> that in the latest release.
>
> On Thu, Oct 4, 2018 at 11:12 AM Bruce Wings <testoauth55(a)gmail.com>
> wrote:
>
>> I have upgraded from keycloak 4.3 to keycloak 4.4. I ahve exported the
>> realm from 4.3 and imported in 4.4.
>>
>> The "policy-enforcer": {} in keycloak.json results in *403
>> :
{"error":"invalid_scope","error_description":"Requires
uma_protection
>> scope."}*
>>
>> In keycloak 4.3 everything works fine. I have exported realm and used
>> with
>> keycloak 4.4, but the policy-enforcer does not work. Is there some extra
>> step that is needed apart from exporting and importing json?
>> If I remove policy-enforcer line the app works fine.
>>
>> *APP code:*
>> final String KEYCLOAK_JSON = //json path;
>> InputStream config =
>>
>>
Thread.currentThread().getContextClassLoader().getResourceAsStream(KEYCLOAK_JSON);
>> KeycloakInstalled keycloak = new KeycloakInstalled(config);
>>
>>
>>
>> *Stack trace thrown at the time of starting app:*
>>
>> java.lang.RuntimeException: Could not find resource
>> Logged in...
>> at
>>
>>
org.keycloak.authorization.client.util.Throwables.handleWrapException(Throwables.java:45)
>> at
>>
>>
org.keycloak.authorization.client.resource.ProtectedResource.findAll(ProtectedResource.java:228)
>> at
>>
>>
org.keycloak.adapters.authorization.PolicyEnforcer.configureAllPathsForResourceServer(PolicyEnforcer.java:225)
>> at
>>
>>
org.keycloak.adapters.authorization.PolicyEnforcer.configurePaths(PolicyEnforcer.java:157)
>> at
>>
>>
org.keycloak.adapters.authorization.PolicyEnforcer.<init>(PolicyEnforcer.java:77)
>> at
>>
>>
org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(KeycloakDeploymentBuilder.java:143)
>> at
>>
>>
org.keycloak.adapters.KeycloakDeploymentBuilder.build(KeycloakDeploymentBuilder.java:152)
>> at
>>
>>
org.keycloak.adapters.installed.KeycloakInstalled.<init>(KeycloakInstalled.java:94)
>> at
>>
>> com.cadence.adw.common.auth.AuthenticationTest.main(AuthenticationTest.java:138)
>> Caused by:
>> org.keycloak.authorization.client.AuthorizationDeniedException:
>> org.keycloak.authorization.client.util.HttpResponseException: Unexpected
>> response from server: 403 / Forbidden / Response from server:
>>
{"error":"invalid_scope","error_description":"Requires
uma_protection
>> scope."}
>> at
>>
>>
org.keycloak.authorization.client.util.Throwables.handleAndWrapHttpResponseException(Throwables.java:96)
>> at
>>
>>
org.keycloak.authorization.client.util.Throwables.handleWrapException(Throwables.java:42)
>> at
>>
>>
org.keycloak.authorization.client.util.Throwables.retryAndWrapExceptionIfNecessary(Throwables.java:87)
>> at
>>
>>
org.keycloak.authorization.client.resource.ProtectedResource.find(ProtectedResource.java:181)
>> at
>>
>>
org.keycloak.authorization.client.resource.ProtectedResource.findAll(ProtectedResource.java:226)
>> ... 7 more
>> Caused by: org.keycloak.authorization.client.util.HttpResponseException:
>> Unexpected response from server: 403 / Forbidden / Response from server:
>>
{"error":"invalid_scope","error_description":"Requires
uma_protection
>> scope."}
>> at
>>
>> org.keycloak.authorization.client.util.HttpMethod.execute(HttpMethod.java:95)
>> at
>>
>>
org.keycloak.authorization.client.util.HttpMethodResponse$2.execute(HttpMethodResponse.java:50)
>> at
>>
>>
org.keycloak.authorization.client.resource.ProtectedResource$4.call(ProtectedResource.java:175)
>> at
>>
>>
org.keycloak.authorization.client.resource.ProtectedResource$4.call(ProtectedResource.java:172)
>> at
>>
>>
org.keycloak.authorization.client.resource.ProtectedResource.find(ProtectedResource.java:179)
>> ... 8 more
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
1:20 p.m.
What is more weird is that if I create a new realm in keycloak 4.4 and
import client from keycloak 4.3 into this realm , then everything works
fine. The issue appears only if I import complete realm.
On Fri, Oct 5, 2018 at 6:41 AM Bruce Wings <testoauth55(a)gmail.com> wrote:
Secondly,
I manually added uma_protection role to my client in keycloak 4.4 like
this, but I still get the same exception. Is this role supposed to be added
in a different way?
[image: image.png]
Firstly,
uma_authorization
<http://localhost:9080/auth/admin/master/console/#/realms/Cadence/roles/04...
role is present in both the installations (4.3 and 4.4)*.
uma_protection *role is *not *present in any.
Is it the case that keycloak 4.3 used to work without* uma_protection *and
4.4 needs* uma_protection *role*?*
On Fri, Oct 5, 2018 at 6:31 AM Bruce Wings <testoauth55(a)gmail.com> wrote:
> uma_authorization
>
<http://localhost:9080/auth/admin/master/console/#/realms/Cadence/roles/04...
> role is present in both the installations (4.3 and 4.4)*.
> uma_protection *role is *not *present in any.
> Is it the case that keycloak 4.3 used to work without* uma_protection *and
> 4.4 needs* uma_protection *role*?*
>
> On Fri, Oct 5, 2018 at 12:12 AM Pedro Igor Silva <psilva(a)redhat.com>
> wrote:
>
>> Please, check if your client is granted with a "uma_protection" client
>> role. I think client roles were not being exported correctly and we fixed
>> that in the latest release.
>>
>> On Thu, Oct 4, 2018 at 11:12 AM Bruce Wings <testoauth55(a)gmail.com>
>> wrote:
>>
>>> I have upgraded from keycloak 4.3 to keycloak 4.4. I ahve exported the
>>> realm from 4.3 and imported in 4.4.
>>>
>>> The "policy-enforcer": {} in keycloak.json results in *403
>>> :
{"error":"invalid_scope","error_description":"Requires
uma_protection
>>> scope."}*
>>>
>>> In keycloak 4.3 everything works fine. I have exported realm and used
>>> with
>>> keycloak 4.4, but the policy-enforcer does not work. Is there some extra
>>> step that is needed apart from exporting and importing json?
>>> If I remove policy-enforcer line the app works fine.
>>>
>>> *APP code:*
>>> final String KEYCLOAK_JSON = //json path;
>>> InputStream config =
>>>
>>>
Thread.currentThread().getContextClassLoader().getResourceAsStream(KEYCLOAK_JSON);
>>> KeycloakInstalled keycloak = new KeycloakInstalled(config);
>>>
>>>
>>>
>>> *Stack trace thrown at the time of starting app:*
>>>
>>> java.lang.RuntimeException: Could not find resource
>>> Logged in...
>>> at
>>>
>>>
org.keycloak.authorization.client.util.Throwables.handleWrapException(Throwables.java:45)
>>> at
>>>
>>>
org.keycloak.authorization.client.resource.ProtectedResource.findAll(ProtectedResource.java:228)
>>> at
>>>
>>>
org.keycloak.adapters.authorization.PolicyEnforcer.configureAllPathsForResourceServer(PolicyEnforcer.java:225)
>>> at
>>>
>>>
org.keycloak.adapters.authorization.PolicyEnforcer.configurePaths(PolicyEnforcer.java:157)
>>> at
>>>
>>>
org.keycloak.adapters.authorization.PolicyEnforcer.<init>(PolicyEnforcer.java:77)
>>> at
>>>
>>>
org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(KeycloakDeploymentBuilder.java:143)
>>> at
>>>
>>>
org.keycloak.adapters.KeycloakDeploymentBuilder.build(KeycloakDeploymentBuilder.java:152)
>>> at
>>>
>>>
org.keycloak.adapters.installed.KeycloakInstalled.<init>(KeycloakInstalled.java:94)
>>> at
>>>
>>>
com.cadence.adw.common.auth.AuthenticationTest.main(AuthenticationTest.java:138)
>>> Caused by:
>>> org.keycloak.authorization.client.AuthorizationDeniedException:
>>> org.keycloak.authorization.client.util.HttpResponseException: Unexpected
>>> response from server: 403 / Forbidden / Response from server:
>>>
{"error":"invalid_scope","error_description":"Requires
uma_protection
>>> scope."}
>>> at
>>>
>>>
org.keycloak.authorization.client.util.Throwables.handleAndWrapHttpResponseException(Throwables.java:96)
>>> at
>>>
>>>
org.keycloak.authorization.client.util.Throwables.handleWrapException(Throwables.java:42)
>>> at
>>>
>>>
org.keycloak.authorization.client.util.Throwables.retryAndWrapExceptionIfNecessary(Throwables.java:87)
>>> at
>>>
>>>
org.keycloak.authorization.client.resource.ProtectedResource.find(ProtectedResource.java:181)
>>> at
>>>
>>>
org.keycloak.authorization.client.resource.ProtectedResource.findAll(ProtectedResource.java:226)
>>> ... 7 more
>>> Caused by: org.keycloak.authorization.client.util.HttpResponseException:
>>> Unexpected response from server: 403 / Forbidden / Response from server:
>>>
{"error":"invalid_scope","error_description":"Requires
uma_protection
>>> scope."}
>>> at
>>>
>>>
org.keycloak.authorization.client.util.HttpMethod.execute(HttpMethod.java:95)
>>> at
>>>
>>>
org.keycloak.authorization.client.util.HttpMethodResponse$2.execute(HttpMethodResponse.java:50)
>>> at
>>>
>>>
org.keycloak.authorization.client.resource.ProtectedResource$4.call(ProtectedResource.java:175)
>>> at
>>>
>>>
org.keycloak.authorization.client.resource.ProtectedResource$4.call(ProtectedResource.java:172)
>>> at
>>>
>>>
org.keycloak.authorization.client.resource.ProtectedResource.find(ProtectedResource.java:179)
>>> ... 8 more
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
2:19 p.m.
Issue seems to be fixed in latest keycloak - 4.5. I just downloaded
keycloak 4.5.0 and imported realm. It's working fine.
On Fri, Oct 5, 2018 at 9:50 AM Bruce Wings <testoauth55(a)gmail.com> wrote:
What is more weird is that if I create a new realm in keycloak 4.4
and
import client from keycloak 4.3 into this realm , then everything works
fine. The issue appears only if I import complete realm.
On Fri, Oct 5, 2018 at 6:41 AM Bruce Wings <testoauth55(a)gmail.com> wrote:
> Secondly,
>
> I manually added uma_protection role to my client in keycloak 4.4 like
> this, but I still get the same exception. Is this role supposed to be added
> in a different way?
>
> [image: image.png]
>
>
> Firstly,
>
> uma_authorization
>
<http://localhost:9080/auth/admin/master/console/#/realms/Cadence/roles/04...
> role is present in both the installations (4.3 and 4.4)*.
> uma_protection *role is *not *present in any.
> Is it the case that keycloak 4.3 used to work without* uma_protection *and
> 4.4 needs* uma_protection *role*?*
>
> On Fri, Oct 5, 2018 at 6:31 AM Bruce Wings <testoauth55(a)gmail.com> wrote:
>
>> uma_authorization
>>
<http://localhost:9080/auth/admin/master/console/#/realms/Cadence/roles/04...
>> role is present in both the installations (4.3 and 4.4)*.
>> uma_protection *role is *not *present in any.
>> Is it the case that keycloak 4.3 used to work without* uma_protection *and
>> 4.4 needs* uma_protection *role*?*
>>
>> On Fri, Oct 5, 2018 at 12:12 AM Pedro Igor Silva <psilva(a)redhat.com>
>> wrote:
>>
>>> Please, check if your client is granted with a "uma_protection"
client
>>> role. I think client roles were not being exported correctly and we fixed
>>> that in the latest release.
>>>
>>> On Thu, Oct 4, 2018 at 11:12 AM Bruce Wings <testoauth55(a)gmail.com>
>>> wrote:
>>>
>>>> I have upgraded from keycloak 4.3 to keycloak 4.4. I ahve exported the
>>>> realm from 4.3 and imported in 4.4.
>>>>
>>>> The "policy-enforcer": {} in keycloak.json results in *403
>>>> :
{"error":"invalid_scope","error_description":"Requires
>>>> uma_protection
>>>> scope."}*
>>>>
>>>> In keycloak 4.3 everything works fine. I have exported realm and used
>>>> with
>>>> keycloak 4.4, but the policy-enforcer does not work. Is there some
>>>> extra
>>>> step that is needed apart from exporting and importing json?
>>>> If I remove policy-enforcer line the app works fine.
>>>>
>>>> *APP code:*
>>>> final String KEYCLOAK_JSON = //json path;
>>>> InputStream config =
>>>>
>>>>
Thread.currentThread().getContextClassLoader().getResourceAsStream(KEYCLOAK_JSON);
>>>> KeycloakInstalled keycloak = new KeycloakInstalled(config);
>>>>
>>>>
>>>>
>>>> *Stack trace thrown at the time of starting app:*
>>>>
>>>> java.lang.RuntimeException: Could not find resource
>>>> Logged in...
>>>> at
>>>>
>>>>
org.keycloak.authorization.client.util.Throwables.handleWrapException(Throwables.java:45)
>>>> at
>>>>
>>>>
org.keycloak.authorization.client.resource.ProtectedResource.findAll(ProtectedResource.java:228)
>>>> at
>>>>
>>>>
org.keycloak.adapters.authorization.PolicyEnforcer.configureAllPathsForResourceServer(PolicyEnforcer.java:225)
>>>> at
>>>>
>>>>
org.keycloak.adapters.authorization.PolicyEnforcer.configurePaths(PolicyEnforcer.java:157)
>>>> at
>>>>
>>>>
org.keycloak.adapters.authorization.PolicyEnforcer.<init>(PolicyEnforcer.java:77)
>>>> at
>>>>
>>>>
org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(KeycloakDeploymentBuilder.java:143)
>>>> at
>>>>
>>>>
org.keycloak.adapters.KeycloakDeploymentBuilder.build(KeycloakDeploymentBuilder.java:152)
>>>> at
>>>>
>>>>
org.keycloak.adapters.installed.KeycloakInstalled.<init>(KeycloakInstalled.java:94)
>>>> at
>>>>
>>>>
com.cadence.adw.common.auth.AuthenticationTest.main(AuthenticationTest.java:138)
>>>> Caused by:
>>>> org.keycloak.authorization.client.AuthorizationDeniedException:
>>>> org.keycloak.authorization.client.util.HttpResponseException:
>>>> Unexpected
>>>> response from server: 403 / Forbidden / Response from server:
>>>>
{"error":"invalid_scope","error_description":"Requires
uma_protection
>>>> scope."}
>>>> at
>>>>
>>>>
org.keycloak.authorization.client.util.Throwables.handleAndWrapHttpResponseException(Throwables.java:96)
>>>> at
>>>>
>>>>
org.keycloak.authorization.client.util.Throwables.handleWrapException(Throwables.java:42)
>>>> at
>>>>
>>>>
org.keycloak.authorization.client.util.Throwables.retryAndWrapExceptionIfNecessary(Throwables.java:87)
>>>> at
>>>>
>>>>
org.keycloak.authorization.client.resource.ProtectedResource.find(ProtectedResource.java:181)
>>>> at
>>>>
>>>>
org.keycloak.authorization.client.resource.ProtectedResource.findAll(ProtectedResource.java:226)
>>>> ... 7 more
>>>> Caused by:
>>>> org.keycloak.authorization.client.util.HttpResponseException:
>>>> Unexpected response from server: 403 / Forbidden / Response from
>>>> server:
>>>>
{"error":"invalid_scope","error_description":"Requires
uma_protection
>>>> scope."}
>>>> at
>>>>
>>>>
org.keycloak.authorization.client.util.HttpMethod.execute(HttpMethod.java:95)
>>>> at
>>>>
>>>>
org.keycloak.authorization.client.util.HttpMethodResponse$2.execute(HttpMethodResponse.java:50)
>>>> at
>>>>
>>>>
org.keycloak.authorization.client.resource.ProtectedResource$4.call(ProtectedResource.java:175)
>>>> at
>>>>
>>>>
org.keycloak.authorization.client.resource.ProtectedResource$4.call(ProtectedResource.java:172)
>>>> at
>>>>
>>>>
org.keycloak.authorization.client.resource.ProtectedResource.find(ProtectedResource.java:179)
>>>> ... 8 more
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user(a)lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
2041
days inactive
2042
days old
5 comments
2 participants
participants (2)
-
Bruce Wings -
Pedro Igor Silva