[keycloak-user] Requires uma_protection scope

Geoffrey Cleaves geoff at opticks.io
Tue Nov 20 14:22:29 EST 2018 

I understand that the client is supposed to have the role given the Admin
Console settings, but does the token show that role when you introspect it?

On Tue, Nov 20, 2018, 18:02 Julien Deruere <deruere.julien at gmail.com wrote:

> That's exactly what I did/checked. That's why I can't figure out why it's
> not working :(
>
> Le mar. 20 nov. 2018 11:53, Pedro Igor Silva <psilva at redhat.com> a écrit :
>
> > This role should be a client role. For instance, if you are trying to
> > create resources for C1 the service account must be granted with client
> > role C1/uma-protection. See screenshot attached.
> >
> > Regards.
> >
> > On Tue, Nov 20, 2018 at 2:01 PM Julien Deruere <deruere.julien at gmail.com
> >
> > wrote:
> >
> >> In this case I'm using protection API:
> >>
> >> curl -X POST \
> >>     -H "Content-Type: application/x-www-form-urlencoded" \
> >>     -d
> 'grant_type=client_credentials&client_id=${client_id}&client_secret=${client_secret}'
> \
> >>     "
> http://localhost:8080/auth/realms/${realm_name}/protocol/openid-connect/token
> "
> >>
> >>
> >> I'm asking a token as a client, not as a user. And I checked, my client
> >> has the uma_protection role in Service Account Role.
> >>
> >> I don't know where I'm wrong?
> >>
> >> Le mar. 20 nov. 2018 10:54, Pedro Igor Silva <psilva at redhat.com> a
> >> écrit :
> >>
> >>> Hi,
> >>>
> >>> You need to grant uma_protection client scope (it should be available
> as
> >>> one of the roles associated with your resource server) to the user to
> which
> >>> you are issuing tokens for.
> >>>
> >>> On Tue, Nov 20, 2018 at 1:52 PM Julien Deruere <
> deruere.julien at gmail.com>
> >>> wrote:
> >>>
> >>>> Any update on this?
> >>>> I got the exact same message when using POSTMAN :
> >>>>
> >>>> I fist do this (with grant_type=client_credentials):
> >>>> http://localhost:8080/auth/realms/sg2b/protocol/openid-connect/token
> >>>>
> >>>> And then this with the token I received:
> >>>> GET
> >>>>
> >>>>
> http://localhost:8080/auth/realms/sg2b/authz/protection/resource_set?type=zone
> >>>> Which answer me this:
> >>>> {
> >>>>     "error": "invalid_scope",
> >>>>     "error_description": "Requires uma_protection scope."
> >>>> }
> >>>>
> >>> _______________________________________________
> >>>> keycloak-user mailing list
> >>>> keycloak-user at lists.jboss.org
> >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>>
> >>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list