[keycloak-user] open-id/connect endpoint giving unexpected result

[Ulrik Sjölin]

Hello,


I am using 4.5.0 and have a simple setup with 2 users (Alice and Jdoe) each
of them has a UMA-resource. Jdoe is sharing his

resource with Alice (all scopes). Running “evaluate” in the admin-web-ui
everything looks correct: Alice does have Delete-Scope (and 4 other scopes)
on JdoeResource.


I use a simple curl script but it does however not give the same result as
the evaluate-web-ui does:


Using the /openid-connect/token, “permission=#Delete” and
subject_token=$ALICE_TOKEN, I get the expected result (both Alice and Jdoes
resources are returned correctly):

[{"scopes":["Delete"],"rsid":"c7fc0515-90f7-4485-a3c7-a8f62d64740c","rsname”:”AliceResource”},{“scopes":["Delete","Read","Write","Admin","Peek"],"rsid":"854b0ac8-8504-4b92-b642-1c959a1f8de0","rsname”:”JdoeResource”}]


changing to “permission=AlliceResource#Delete” everything looks like
expected:

[{"scopes":["Delete"],"rsid":"c7fc0515-90f7-4485-a3c7-a8f62d64740c","rsname”:”AliceResource”}]


Changing again to the id of JoeResource i.e
“permission=854b0ac8-8504-4b92-b642-1c959a1f8de0#Delete", I get:

[{"scopes":["Delete","Read","Write","Admin","Peek"],"rsid":"854b0ac8-8504-4b92-b642-1c959a1f8de0","rsname":"JdoeResource"}]


But changing to “permission=JdoeResource#Delete”, I get, what I think is
unexpected:

{"error":"invalid_resource","error_description":"Resource with id
[JdoeResource] does not exist."}


Is this expected behavior? Is there something I am doing wrong?


Best Regards,


Ulrik