[keycloak-user] Getting Permissions from RPT

Chandran Soundrapandian soundrachan at gmail.com
Sun Jan 28 05:15:01 EST 2018 

Found the solution. Attaching the new config JSON

On 28 January 2018 at 11:42, Chandran Soundrapandian <soundrachan at gmail.com>
wrote:

> Hi,
>
> I am evaluating keycloak and trying out the following scenario:
>
> The system has a resource
> 1. "Contact"
>
> and  two client roles
> 1. Admin
> 2. Trainee
>
> The "Admin role" can create, view, edit and delete the "contact resource"
> The "Trainee Role" can create and view "contact resource"
>
> Followed the following steps to setup the resource server:
>
> 1. Created a resource "Contact"
> 2. Created scopes "create, view, edit and delete"
> 3. Created role based policy with Admin Role - "Contact Admin Policy"
> 4. Created role based policy with Trainee Role - "Contact Trainee Policy"
> 4. Created Scope based permission "Contact Admin Permission" with all the
> scopes (Create, View, Edit, Delete) and associated it the "contact Admin
> policy"
> 5. Created Scope based permission "Contact Trainee Permission" with create
> and view scopes and associated it with the "Contact Trainee Policy"
>
> After this setup, using the following Authz client code, trying to display
> the permission associated with the user
>
> AuthzClient authzClient = AuthzClient.create();
>
> String accessToken = authzClient.obtainAccessToken("UserName", "UserPassword").getToken();
>
> EntitlementResponse response = authzClient.entitlement(accessToken).getAll("Client ID");
> String rpt = response.getRpt();
>
> TokenIntrospectionResponse requestingPartyToken = authzClient.protection().introspectRequestingPartyToken(rpt);
>
> System.out.println("Token status is: " + requestingPartyToken.getActive());
> System.out.println("Permissions granted by the server: ");
>
> for (Permission granted : requestingPartyToken.getPermissions()) {
>     System.out.println(granted);
> }
>
> For admin I get:
>
> Permission {id=778e76d4-dc06-4e98-a213-fd7f22975ab7, name=Contact, scopes=[Contact:Edit, Contact:Delete]}
>
> where as the expected is:
>
> Permission {id=778e76d4-dc06-4e98-a213-fd7f22975ab7, name=Contact, scopes=[Contact:Create, Contact:View, Contact:Edit, Contact:Delete]}
>
>
>
> For Trainee I get
> - Nothing
>
> where as the expected is:
>
> Permission {id=778e76d4-dc06-4e98-a213-fd7f22975ab7, name=Contact, scopes=[Contact:Create, Contact:View]}
>
> Would you please let me know what I am doing wrong or how to setup resource server to get the expected output.
>
> Thanks
> -Chandran
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ContactTest-authz-config(1).json
Type: application/json
Size: 2576 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180128/42430dc0/attachment.bin

More information about the keycloak-user mailing list