[keycloak-user] Authorization: Upgrading to keycloak 4.4 results in {"error":"invalid_scope", "error_description":"Requires uma_protection scope."}
Pedro Igor Silva
psilva at redhat.com
Thu Oct 4 14:42:24 EDT 2018
Please, check if your client is granted with a "uma_protection" client
role. I think client roles were not being exported correctly and we fixed
that in the latest release.
On Thu, Oct 4, 2018 at 11:12 AM Bruce Wings <testoauth55 at gmail.com> wrote:
> I have upgraded from keycloak 4.3 to keycloak 4.4. I ahve exported the
> realm from 4.3 and imported in 4.4.
>
> The "policy-enforcer": {} in keycloak.json results in *403
> : {"error":"invalid_scope","error_description":"Requires uma_protection
> scope."}*
>
> In keycloak 4.3 everything works fine. I have exported realm and used with
> keycloak 4.4, but the policy-enforcer does not work. Is there some extra
> step that is needed apart from exporting and importing json?
> If I remove policy-enforcer line the app works fine.
>
> *APP code:*
> final String KEYCLOAK_JSON = //json path;
> InputStream config =
>
> Thread.currentThread().getContextClassLoader().getResourceAsStream(KEYCLOAK_JSON);
> KeycloakInstalled keycloak = new KeycloakInstalled(config);
>
>
>
> *Stack trace thrown at the time of starting app:*
>
> java.lang.RuntimeException: Could not find resource
> Logged in...
> at
>
> org.keycloak.authorization.client.util.Throwables.handleWrapException(Throwables.java:45)
> at
>
> org.keycloak.authorization.client.resource.ProtectedResource.findAll(ProtectedResource.java:228)
> at
>
> org.keycloak.adapters.authorization.PolicyEnforcer.configureAllPathsForResourceServer(PolicyEnforcer.java:225)
> at
>
> org.keycloak.adapters.authorization.PolicyEnforcer.configurePaths(PolicyEnforcer.java:157)
> at
>
> org.keycloak.adapters.authorization.PolicyEnforcer.<init>(PolicyEnforcer.java:77)
> at
>
> org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(KeycloakDeploymentBuilder.java:143)
> at
>
> org.keycloak.adapters.KeycloakDeploymentBuilder.build(KeycloakDeploymentBuilder.java:152)
> at
>
> org.keycloak.adapters.installed.KeycloakInstalled.<init>(KeycloakInstalled.java:94)
> at
>
> com.cadence.adw.common.auth.AuthenticationTest.main(AuthenticationTest.java:138)
> Caused by: org.keycloak.authorization.client.AuthorizationDeniedException:
> org.keycloak.authorization.client.util.HttpResponseException: Unexpected
> response from server: 403 / Forbidden / Response from server:
> {"error":"invalid_scope","error_description":"Requires uma_protection
> scope."}
> at
>
> org.keycloak.authorization.client.util.Throwables.handleAndWrapHttpResponseException(Throwables.java:96)
> at
>
> org.keycloak.authorization.client.util.Throwables.handleWrapException(Throwables.java:42)
> at
>
> org.keycloak.authorization.client.util.Throwables.retryAndWrapExceptionIfNecessary(Throwables.java:87)
> at
>
> org.keycloak.authorization.client.resource.ProtectedResource.find(ProtectedResource.java:181)
> at
>
> org.keycloak.authorization.client.resource.ProtectedResource.findAll(ProtectedResource.java:226)
> ... 7 more
> Caused by: org.keycloak.authorization.client.util.HttpResponseException:
> Unexpected response from server: 403 / Forbidden / Response from server:
> {"error":"invalid_scope","error_description":"Requires uma_protection
> scope."}
> at
>
> org.keycloak.authorization.client.util.HttpMethod.execute(HttpMethod.java:95)
> at
>
> org.keycloak.authorization.client.util.HttpMethodResponse$2.execute(HttpMethodResponse.java:50)
> at
>
> org.keycloak.authorization.client.resource.ProtectedResource$4.call(ProtectedResource.java:175)
> at
>
> org.keycloak.authorization.client.resource.ProtectedResource$4.call(ProtectedResource.java:172)
> at
>
> org.keycloak.authorization.client.resource.ProtectedResource.find(ProtectedResource.java:179)
> ... 8 more
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list