[keycloak-user] Retrieve all permissions

Corentin Dupont corentin.dupont at gmail.com
Tue Jul 10 09:31:50 EDT 2018 

Hi guys,
I noticed a couple of strange things when retrieving all the permissions.
I tried:

$ curl -X POST http://localhost:8080/auth/realms/waziup/protocol/openid-
connect/token -H "Authorization: Bearer $USERTOKEN" -d
"grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=api-server"
| jq .access_token -r | cut -d "." -f2 | base64 -d | jq

"authorization": {
    "permissions": [
...

But it seems that this command returns only the permissions for the
resources belonging to the client, excluding resource belonging to other
users?
To get an assessment of all resources, I tried adding a scope:

$ curl -X POST http://localhost:8080/auth/realms/waziup/protocol/openid-
connect/token -H "Authorization: Bearer $USERTOKEN" -d
"grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=api-server&permission=#sensors:view"
| jq .access_token -r | cut -d "." -f2 | base64 -d | jq

"authorization": {
    "permissions": [
        {
        "rsid": "9e24320d-ef89-440b-b6d5-d7b5a4896f60",
        "rsname": "foo"

This instead returns a list of resources belonging to all users.
But the list seems to be wrong: it returns sensors to which I *don't* have
access!
If I try the request on the specific resource, it returns (rightfully)
access_denied:

curl -X POST
http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token -H
"Authorization: Bearer $USERTOKEN" -d
"grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=api-server&permission=
9e24320d-ef89-440b-b6d5-d7b5a4896f60#sensors:view"
{"error":"access_denied","error_description":"not_authorized"}

Another strange thing, if I try with a non-existent resource ID, there is
no error message and it returns a list of permissions:

$ curl -X POST
http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token -H
"Authorization: Bearer $USERTOKEN" -d
"grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=api-server&permission=not-exist#sensors:view"
| jq .access_token -r | cut -d "." -f2 | base64 -d | jq

"authorization": {
    "permissions": [
        {
        "rsid": "9e24320d-ef89-440b-b6d5-d7b5a4896f60",
        "rsname": "foo"
...

More information about the keycloak-user mailing list