[keycloak-user] Querying permissions of the Policy API always empty

Sun Nov 18 06:27:33 EST 2018

Hi,

I'm sending GET requests to
http://${host}:${post}/auth/realms/${realm}/authz/protection/uma-policy
but only get an empty array. I have a permission/policy assigned to
hundreds of resources belonging to dozens of users and some resources owned
by the resource server itself. Reading the docs
<https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_authorization_uma_policy_api>,
I expect to be able to get a list of all permissions or query by name.

Perhaps I am misunderstanding this:

This API is protected by a bearer token that must represent a consent
granted by the user to the resource server to manage permissions on his
behalf. The bearer token can be a regular access token obtained from the
token endpoint using:

   - Resource Owner Password Credentials Grant Type
      - Token Exchange, in order to exchange an access token granted to
      some client (public client) for a token where audience is the resource
      server

But I don't think so because if my token were wrong I'd get a 401 or 403
instead of 200 with an empty array. In any case I've tried with Client
Credentials Grant and Resource Owner Password Credentials Grant Type.

[image: Screen Shot 2018-11-18 at 12.19.25.png]
curl -D - -X GET \
   https://.../authz/protection/uma-policy \
   -H 'Authorization: Bearer eyJh' \
   -H 'Cache-Control: no-cache' \
   -H 'Postman-Token: deb09a7a-0499-430f-8164-3097e5ac145d' \
   -H 'cache-control: no-cache'

HTTP/1.1 200 OK
Server: nginx/1.11.10
Date: Sun, 18 Nov 2018 11:23:41 GMT
Content-Type: application/json
Content-Length: 2
Connection: keep-alive
Cache-Control: no-cache
[]

Any advise?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screen Shot 2018-11-18 at 12.19.25.png
Type: image/png
Size: 140604 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181118/8b97b534/attachment-0001.png 