Ho, I think I understood. Even when the resource is created by the client
on behalf of a user, that user must have uma_protection client role.
I.e. in my example above, cdupont must have it. I think I'll create a group
so that every new user have it.
On Wed, Sep 12, 2018 at 10:02 AM, Corentin Dupont <corentin.dupont(a)gmail.com
wrote:
> At the moment I try to create the resource with a client token (not a user
> token):
>
> CLIENTTOKEN=`curl -X POST -H "Content-Type:
application/x-www-form-urlencoded"
> -d 'grant_type=client_credentials&client_id=api-
> server&client_secret=4e9dcb80-efcd-484c-b3d7-1e95a0096ac0' "
>
http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token" |
> jq .access_token -r`
>
> curl -X POST "http://localhost:8080/auth/realms/waziup/authz/
> protection/resource_set" -H "Authorization: Bearer $CLIENTTOKEN" -H
> "Content-Type: application/json" -d
'{"name":"Sensortest3",
>
"scopes":["sensors:create","sensors:view","sensors:update"
> ,"sensors:delete"],"owner":"cdupont",
"ownerManagedAccess": true}'
>
> Is this correct?
> Thanks
>
> On Tue, Sep 11, 2018 at 11:28 PM, Pedro Igor Silva <psilva(a)redhat.com>
wrote:
>
>> Hi,
>>
>> Your users must be granted with this client role in order to access the
>> protection api. This allows user to consent whether or not access should be
>> granted to resource servers to act on his behalf when managing user
>> resources.
>>
>> On Tue, Sep 11, 2018 at 1:19 PM, Corentin Dupont <
>> corentin.dupont(a)gmail.com
wrote:
>>
>>> Hi,
>>> I updated my keycloak to 4.4.0.
>>> When I get my resources:
>>> GET on:
http://localhost:8080/auth/realms/waziup/authz/
>>> protection/resource_set
>>>
>>> I now get error 403: invalid_scope, Requires uma_protection scope
>>>
>>> What did I miss?
>>> I activated User-Managed Access at realm level.
>>> Thanks
>>> Corentin
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>