[keycloak-dev] [keycloak-user] /authz/protection/permission/ticket usage?

Ulrik Sjölin ulrik.sjolin at gmail.com
Fri Nov 9 12:26:51 EST 2018


Here is my script… its a bit of a hack but it produces the problem
100% of times.

Best Regards,

Ulrik

#!/bin/bash
export host=keycloak
export port=8081
export realm=myrealm
export resource_server_client_id=myrealm-core-services
export resource_server_client_secret=133544d2-8d6c-4a8b-a4e2-827bdd34cdca
export username=alice
export password=alice
export resource_owner=jdoe
export resource_name=JDoeResource
export scope=read

echo "Obtaining token for ${username}"

export access_token=\
`curl --silent \
http://${host}:${port}/auth/realms/${realm}/protocol/openid-connect/token \
-d client_id=${resource_server_client_id} \
-d client_secret=${resource_server_client_secret} \
-d username=${username} \
-d password=${password} \
-d grant_type=password \
| jq -r ".access_token"`

echo "Obtaining token for ${resource_server_client_id}"

export service_access_token=\
`curl --silent -X POST \
http://${host}:${port}/auth/realms/${realm}/protocol/openid-connect/token \
-d grant_type=client_credentials \
-d client_id=${resource_server_client_id} \
-d client_secret=${resource_server_client_secret} \
| jq -r ".access_token"`

echo "Getting resouce id for resource: ${resource_name}"

export result=\
`curl --silent -X GET \
http://${host}:${port}/auth/realms/${realm}/authz/protection/resource_set?name=${resource_name}
\
-H "Authorization: Bearer ${access_token}" \
| jq -r ".[0]"`

if [ "$result" = "null" ]; then
    echo "Trying to create resource"

    export new_obj=`curl --silent -X POST \
    http://${host}:${port}/auth/realms/${realm}/authz/protection/resource_set \
    -H "content-type: application/json" \
    -H "Authorization: Bearer ${service_access_token}" \
    -d "{
    \"name\":\"${resource_name}\",
    \"type\":\"Entities\",
    \"ownerManagedAccess\":\"true\",
    \"resource_scopes\":[\"admin\",\"peek\",\"read\",\"write\",\"delete\"]
    }"`

    resource_id=`echo $new_obj | jq "._id" | tr -d '"'`
    echo "Resource ID: ${resource_id}"
else
    echo "Found resource with id: ${result}"
    resource_id=$result
fi

echo "Add permission ticket"

export result=\
`curl --silent -X POST \
http://${host}:${port}/auth/realms/${realm}/authz/protection/permission/ticket \
-H "Authorization: Bearer ${service_access_token}" \
-H "Content-Type: application/json" \
-d "{
\"resource\":\"${resource_id}\",
\"scopeName\":\"${scope}\",
\"requesterName\":\"${username}\",
\"granted\":\"true\",
\"ownerName\":\"${resource_server_client_id}\"
}"`

echo
echo "Get a list of all permission tickets"

export result=\
`curl --silent -X GET \
http://${host}:${port}/auth/realms/${realm}/authz/protection/permission/ticket \
-H "Authorization: Bearer ${service_access_token}"`

echo $result | jq -C .


echo
echo "Get a list of all permission tickets - with names"

export result=\
`curl --silent -X GET \
http://${host}:${port}/auth/realms/${realm}/authz/protection/permission/ticket?returnNames=true
\
-H "Authorization: Bearer ${service_access_token}"`

echo $result | jq -C .



On 9 November 2018 at 16:58:27, Pedro Igor Silva
(psilva at redhat.com(mailto:psilva at redhat.com)) wrote:

> Could not reproduce this. Can you give me an example of the GET request ?
>
> On Fri, Nov 9, 2018 at 12:54 PM Ulrik Sjölin wrote:
> > Hello,
> >
> > Thank you for you quick answer, things are really close now :)
> >
> > Unfortunately using returnNames in GET permission/ticket triggers an NPE
> > when I use returnNames. I have built from tip of master
> > (29f8187978ea464ff6636981ede22ac5f7f86075).
> > I paste in the full console printout below. The NPE occurs at:
> >
> > 15:13:47,468 ERROR XNIO-1 task-15
> > [org.keycloak.services.error.KeycloakErrorHandler] Uncaught server error
> > java.lang.NullPointerException
> > at
> > org.keycloak.models.utils.ModelToRepresentation.toRepresentation(ModelToRepresentation.java:877)
> >
> > The function in question seems to fail to get the owner. I tried to use
> > ownerName when creating the ticket, and sure enough I got:
> >
> > [
> > {
> > "id": "9785e990-8f14-408b-814b-f8f8b46e5076",
> > "owner": "5759f399-a9c0-47e1-8eb7-dd8b9148aaec",
> > "resource": "740fb06e-a543-4cca-9be1-ab240710c4c9",
> > "scope": "55b45b56-2fcb-4b18-b9ab-ec68c53fc14b",
> > "granted": true,
> > "requester": "b4e263e7-7739-4e0b-b554-b96520d27bae"
> > }
> > ]
> >
> > So the owner field is set in the DB but it seems that line 874 still sets
> > owner variable to null… I am really at loss what to do. I suspect a patch
> > where we
> > check for null on owner and requester is not the right thing to do :)
> >
> > 858 public static PermissionTicketRepresentation
> > toRepresentation(PermissionTicket ticket, AuthorizationProvider
> > authorization, boolean returnNames) {
> > 859 PermissionTicketRepresentation representation = new
> > PermissionTicketRepresentation();
> > 860
> > 861 representation.setId(ticket.getId());
> > 862 representation.setGranted(ticket.isGranted());
> > 863 representation.setOwner(ticket.getOwner());
> > 864 representation.setRequester(ticket.getRequester());
> > 865
> > 866 Resource resource = ticket.getResource();
> > 867
> > 868 representation.setResource(resource.getId());
> > 869
> > 870 if (returnNames) {
> > 871 representation.setResourceName(resource.getName());
> > 872 KeycloakSession keycloakSession =
> > authorization.getKeycloakSession();
> > 873 RealmModel realm = authorization.getRealm();
> > 874 UserModel owner =
> > keycloakSession.users().getUserById(ticket.getOwner(), realm);
> > 875 UserModel requester =
> > keycloakSession.users().getUserById(ticket.getRequester(), realm);
> > 876 representation.setRequesterName(requester.getUsername());
> > 877 representation.setOwnerName(owner.getUsername());
> > 878 }
> > 879
> > 880 Scope scope = ticket.getScope();
> > 881
> > 882 if (scope != null) {
> > 883 representation.setScope(scope.getId());
> > 884 if (returnNames) {
> > 885 representation.setScopeName(scope.getName());
> > 886 }
> > 887 }
> > 888
> > 889 return representation;
> > 890 }
> > 891 }
> >
> >
> > Best Regards,
> >
> > Ulrik
> >
> > 15:13:47,468 ERROR XNIO-1 task-15
> > [org.keycloak.services.error.KeycloakErrorHandler] Uncaught server error
> > java.lang.NullPointerException
> > at
> > org.keycloak.models.utils.ModelToRepresentation.toRepresentation(ModelToRepresentation.java:877)
> > at
> > org.keycloak.authorization.protection.permission.PermissionTicketService.lambda$find$90(PermissionTicketService.java:224)
> > at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193)
> > at java.util.LinkedList$LLSpliterator.forEachRemaining(LinkedList.java:1235)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481)
> > at
> > java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at
> > java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:499)
> > at
> > org.keycloak.authorization.protection.permission.PermissionTicketService.find(PermissionTicketService.java:225)
> > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > at
> > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> > at
> > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> > at java.lang.reflect.Method.invoke(Method.java:497)
> > at
> > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
> > at
> > org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509)
> > at
> > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399)
> > at
> > org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363)
> > at
> > org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
> > at
> > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365)
> > at
> > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337)
> > at
> > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
> > at
> > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106)
> > at
> > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132)
> > at
> > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106)
> > at
> > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132)
> > at
> > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
> > at
> > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443)
> > at
> > org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233)
> > at
> > org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139)
> > at
> > org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
> > at
> > org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142)
> > at
> > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219)
> > at
> > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
> > at
> > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> > at
> > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> > at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
> > at
> > io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
> > at
> > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
> > at
> > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
> > at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
> > at
> > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
> > at
> > io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
> > at
> > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
> > at
> > io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
> > at
> > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> > at
> > io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
> > at
> > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
> > at
> > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > at
> > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
> > at
> > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> > at
> > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
> > at
> > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
> > at
> > io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
> > at
> > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > at
> > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > at
> > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
> > at
> > io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
> > at
> > io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
> > at
> > io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
> > at
> > io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
> > at
> > io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
> > at
> > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
> > at
> > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
> > at
> > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
> > at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)
> > at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
> > at
> > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> > at
> > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> > at java.lang.Thread.run(Thread.java:745)
> > 15:15:05,130 ERROR XNIO-1 task-22
> > [org.keycloak.services.error.KeycloakErrorHandler] Uncaught server error
> > java.lang.NullPointerException
> > at
> > org.keycloak.models.utils.ModelToRepresentation.toRepresentation(ModelToRepresentation.java:877)
> > at
> > org.keycloak.authorization.protection.permission.PermissionTicketService.lambda$find$90(PermissionTicketService.java:224)
> > at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193)
> > at java.util.LinkedList$LLSpliterator.forEachRemaining(LinkedList.java:1235)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481)
> > at
> > java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at
> > java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:499)
> > at
> > org.keycloak.authorization.protection.permission.PermissionTicketService.find(PermissionTicketService.java:225)
> > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > at
> > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> > at
> > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> > at java.lang.reflect.Method.invoke(Method.java:497)
> > at
> > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
> > at
> > org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509)
> > at
> > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399)
> > at
> > org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363)
> > at
> > org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
> > at
> > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365)
> > at
> > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337)
> > at
> > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
> > at
> > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106)
> > at
> > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132)
> > at
> > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106)
> > at
> > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132)
> > at
> > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
> > at
> > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443)
> > at
> > org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233)
> > at
> > org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139)
> > at
> > org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
> > at
> > org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142)
> > at
> > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219)
> > at
> > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
> > at
> > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> > at
> > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> > at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
> > at
> > io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
> > at
> > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
> > at
> > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
> > at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
> > at
> > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
> > at
> > io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
> > at
> > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
> > at
> > io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
> > at
> > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> > at
> > io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
> > at
> > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
> > at
> > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > at
> > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
> > at
> > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> > at
> > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
> > at
> > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
> > at
> > io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
> > at
> > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > at
> > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > at
> > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
> > at
> > io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
> > at
> > io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
> > at
> > io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
> > at
> > io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
> > at
> > io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
> > at
> > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
> > at
> > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
> > at
> > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
> > at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)
> > at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
> > at
> > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> > at
> > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> > at java.lang.Thread.run(Thread.java:745)
> >
> >
> > On 9 November 2018 at 14:37:01, Pedro Igor Silva (psilva at redhat.com(mailto:psilva at redhat.com)) wrote:
> >
> > Hi,
> >
> > You can use "scopeName" and "requesterName" properties for that. Take a
> > look here
> > https://github.com/keycloak/keycloak/blob/5cbe595fe3094aae8135b8f2c729e9af0cbdd076/core/src/main/java/org/keycloak/representations/idm/authorization/PermissionTicketRepresentation.java#L22
> > .
> >
> > Regards.
> > Pedro Igor
> >
> > On Fri, Nov 9, 2018 at 7:18 AM Ulrik Sjölin wrote:
> >
> > > Hello,
> > >
> > > I have a question on how to use the
> > > API: /authz/protection/permission/ticket
> > >
> > > I can call the endpoint successfully if I do the call with only ids:
> > >
> > > curl --silent -X POST \
> > > http://
> > > ${host}:${port}/auth/realms/${realm}/authz/protection/permission/ticket
> > > \
> > > -H "Authorization: Bearer ${service_access_token}" \
> > > -H "Content-Type: application/json" \
> > > -d "{
> > > \"resource\":\"${resource_id}\",
> > > \"scope\":\"40065a35-02d5-4db9-be46-02566cf7a666\",
> > > \"requester\":\"79ae9a5a-0304-41ec-b721-d57a09d419cb\",
> > > \"granted\":\"true\"
> > > }”
> > >
> > > It would however be a lot more workable for me if I could use names like:
> > >
> > > curl --silent -X POST \
> > > http://
> > > ${host}:${port}/auth/realms/${realm}/authz/protection/permission/ticket
> > > \
> > > -H "Authorization: Bearer ${service_access_token}" \
> > > -H "Content-Type: application/json" \
> > > -d "{
> > > \"resource\":\"${resource_id}\",
> > > \"scope\":\”Read\",
> > > \"requester\":\”alice\",
> > > \"granted\":\"true\"
> > > }”
> > >
> > > But when I do this I get:
> > >
> > > {"error":"invalid_scope","error_description":"Scope [Read] is invalid”}
> > > {"error":"invalid_permission","error_description":"Requester does not
> > > exists in this server as user.”}
> > >
> > > Looking at the code there seems to be lookups from names to id, but
> > > for some reason it fails. What
> > > am I doing wrong? Any help is greatly appreciated.
> > >
> > > Best Regards,
> > >
> > > Ulrik Sjölin
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org(mailto:keycloak-user at lists.jboss.org)
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org(mailto:keycloak-dev at lists.jboss.org)
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev



More information about the keycloak-dev mailing list