[keycloak-user] Access token does not contain permissions key

Cristi Cioriia cristi.cioriia at gmail.com
Wed Nov 9 08:25:21 EST 2016


Hi guys,

I've introspected an access key for one of my Keycloak applications and
noticed that it does not contain a permissions key in it (as decribed in
here:
https://keycloak.gitbooks.io/authorization-services-guide/content/v/2.2/topics/service/protection/token-introspection.html),
but instead it contains a resource_access/Vertx-server/roles key. My
question is:what do I need to do in order to receive a permissions object
in the access token as described in the above document? The url I used for
retrieving the access token looks like this:

http://localhost:9090/auth/realms/master/protocol/openid-connect/token/introspect

My use case looks like this:

I do have in my Vertx-server application a role based policy that uses a
role named "employee" and a permission that protects one of my resources
using that role based policy. Then when my client application named Vert-x
client requests an access token to access the protected resource from the
Vertx-server, the access token looks like this:

{
  "jti": "565fbecf-1ef5-4059-9309-fe3fca5d74bd",
  "exp": 1478699031,
  "nbf": 0,
  "iat": 1478695431,
  "iss": "http://localhost:9090/auth/realms/master",
  "aud": "Vertex-client",
  "sub": "0ba24c3e-2fe6-49f2-80b1-08023a236cd6",
  "typ": "Bearer",
  "azp": "Vertex-client",
  "auth_time": 1478695431,
  "session_state": "6e262177-dfd3-498f-a1f2-7a09bd04ff42",
  "name": "",
  "preferred_username": "admin",
  "acr": "1",
  "client_session": "9fc92504-a541-4757-8960-19d7f5457384",
  "allowed-origins": [
    "http://localhost:8282"
  ],
  "realm_access": {
    "roles": [
      "create-realm",
      "admin",
      "uma_authorization"
    ]
  },
  "resource_access": {
    "Vertex-server": {
      "roles": [
        "employee"
      ]
    },
    "master-realm": {
      "roles": [
        "view-identity-providers",
        "view-realm",
        "manage-identity-providers",
        "impersonation",
        "create-client",
        "manage-users",
        "view-authorization",
        "manage-events",
        "manage-realm",
        "view-events",
        "view-users",
        "view-clients",
        "manage-authorization",
        "manage-clients"
      ]
    },
    "account": {
      "roles": [
        "manage-account",
        "view-profile"
      ]
    }
  },
  "client_id": "Vertex-client",
  "username": "admin",
  "active": true
}

Thanks,
Cristi


More information about the keycloak-user mailing list