[keycloak-dev] Entitlement API, role based Policy, forbidden

Sven Thoms sven.thoms at gmail.com
Mon Mar 27 12:52:12 EDT 2017

I have users in my realm that I have assigned realm roles to:

realm roles: Master, Apprentice

one such user is

roles: uma_authorization, Apprentice

When I enable authorization on a client and
1. add a resource besides the default resource to it, say "Second Resource"
2. under Policies - Roles a role-based policy referencing the realm role
Apprentice that my user belongs to

Using the test user’s acess_token gotten from the realm token endpoint:

curl -X POST \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "client_id=admin-cli&username=test_user&password=password&grant_type=password"

and checking the entitlement API response for the client’s id and using the
bearer access token of the user as well as the payload for the Second
Resource, I always get status code forbidden

curl -v -X POST \
-H "Content-Type:application/json" \
-H 'Authorization: bearer userbearerrertoken' \
-d '{"permissions":[{"resource_set_name:"Second Resource"}]}' \

For the Default Resource, all is fine and I get back an RPT.

Am I missing something regarding the user’s needed roles? According to the
documentation, the role-level permission for the Second Resource should
lead to the user being authorized to access the second resource if any
realm role in a role-based permission for a resource holds.

I am using keycloak 2.5.1.

More information about the keycloak-dev mailing list