Sure. Created one -
I didn't know if to put it as a task for filtering by audience or as a bug
because it used to work. Hope I described it correctly.
Thanks!!
*Or Harary*, VP R&D
IL +972-54-5821080
On Wed, Sep 11, 2019 at 3:45 PM Pedro Igor Silva <psilva(a)redhat.com> wrote:
I see now. I think we can improve that. Do you mind creating an issue
?
On Tue, Sep 10, 2019 at 5:48 PM Or Harary <or(a)myobligo.com> wrote:
> I meant resources owned by another resource server, but in the audience I
> send the other resource server name.
> And its granted access by a policy.
> So for example, im requesting "resourceA", which is inside
"clientA" and
> owned by it, and im making the request with the token of "clientB", and in
> the "audience" I'm sending "clientA".
> That doesn't work =/
> So why isn't the "audience" used to filter the correct client to find
the
> resource inside, using the name?
>
> Thanks again very much for the reply and the help! =]
>
> בתאריך יום ג׳, 10 בספט׳ 2019, 23:27, מאת Pedro Igor Silva <
> psilva(a)redhat.com>:
>
>> If you mean resources owned by the resource server itself (the default
>> owner for any resource you create) then the server is able to get the right
>> resource by the name given that only a single resource with a given name
>> should exist.
>>
>> On Tue, Sep 10, 2019 at 12:05 PM Or Harary <or(a)myobligo.com> wrote:
>>
>>> Just another small question regarding this - I'm sending the
"audience"
>>> parameter with the resource server id (client id) that I want to check the
>>> permissions on, why doesn't it use it to filter the correct resource
server
>>> and find the resource with the name inside that resource server? why is it
>>> different to a user if the user also isn't the owner?
>>>
>>> *Or Harary*, VP R&D
>>> IL +972-54-5821080
>>>
>>>
>>> On Tue, Sep 10, 2019 at 5:55 PM Or Harary <or(a)myobligo.com> wrote:
>>>
>>>> Got it, thank you very much for the clarification.
>>>>
>>>> On Tue, Sep 10, 2019 at 5:50 PM Pedro Igor Silva
<psilva(a)redhat.com>
>>>> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> This is because resources can have same name but different owners.
If
>>>>> the client is not acting on behalf of the user (user is subject in
token)
>>>>> it won't be able to send permission requests using the resource
name. If
>>>>> the client is acting on behalf of the user, then the server is
capable of
>>>>> matching the correct resources.
>>>>>
>>>>> Regards.
>>>>> Pedro Igor
>>>>>
>>>>> On Tue, Sep 10, 2019 at 11:44 AM Or Harary <or(a)myobligo.com>
wrote:
>>>>>
>>>>>> Hey,
>>>>>>
>>>>>> When I'm logged in as a user (grant_type=password), and
I'm trying to
>>>>>> request a permission ticket for a resource by its name, and
I'm
>>>>>> using the
>>>>>> token endpoint and grant type
>>>>>> "urn:ietf:params:oauth:grant-type:uma-ticket",
everything works well.
>>>>>>
>>>>>> But if I'm using a resource server token (from a login using
>>>>>> client_credentials), and i'm trying to request permissions
for a
>>>>>> resource
>>>>>> in another resource server, by the resource name, it results with
the
>>>>>> following error:
>>>>>> {
>>>>>> error: 'invalid_resource',
>>>>>> error_description: 'Resource with id [my-resource-name] does
not
>>>>>> exist.'
>>>>>> }
>>>>>>
>>>>>> When I'm requesting the resource with its ID, everything
works as
>>>>>> expected.
>>>>>>
>>>>>> In version 3.4 it worked well. I now checked it in version 6.0.1
and
>>>>>> version 7.0.0 and it doesn't work and it seems to be because
of this
>>>>>> line:
>>>>>>
>>>>>>
https://github.com/keycloak/keycloak/blob/9c2525ec1afb6737dd012d3c744a409...
>>>>>>
>>>>>> Is this the expected behaviour or a bug?
>>>>>>
>>>>>> Thanks in advance,
>>>>>> Or
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user(a)lists.jboss.org
>>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>>