[keycloak-user] Evaluation of RPT in admin console does not match Rest request result...

Fri Aug 30 08:27:05 EDT 2019

Hello.
Keycloak 6.0.1 and 7
Can anyone help me with understanding of evaluating RPT?
Scenario:
2 Realm Roles - RoleA and RoleB
1 user with both realm roles
2 clients:
clientA public (or confidential) with Scope=RoleA
clientB confidential and Authorization-Enabled with Scope=RoleA,RoleB

When I go to clientB
Authorization-Evaluate
set Client = clientA
set User  = user
choose Any resource with scope(s) Any scope.
and see:
{
  "jti": "7692f97f-3907-4e1b-a784-663c52f33bc7",
  "exp": 1567062109,
  "nbf": 0,
  "iat": 1567061809,
  "aud": "clientB",
  "sub": "2d6224b8-a4c4-4a4b-b064-18a5ac07a607",
  "typ": "Bearer",
  "azp": "clientA",
  "auth_time": 0,
  "session_state": "ff2e581c-0663-4b8c-9332-629b02c02729",
  "acr": "1",
  "realm_access": {
    "roles": [
      "RoleA"
    ]
  },
  "authorization": {
    "permissions": [
      {
        "rsid": "e0dbd6bb-a4de-40bb-b017-4eba9a5a0139",
        "rsname": "Default Resource"
      }
    ]
  },
  "scope": "email profile",
  "email_verified": false,
  "preferred_username": "user"
}
here I see that I have only RoleA (that is correct - I'm going through
clientA)

But when I make requests:
curl -d 'client_id=clientA' -d 'username=user' -d 'password=1' -d
'grant_type=password' '
http://localhost:8280/auth/realms/TestRPT/protocol/openid-connect/token'
grab access-token and
curl -X POST \
  http://localhost:8280/auth/realms/TestRPT/protocol/openid-connect/token \
  -H "Authorization: Bearer access-token-from-first-curl" \
  --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \
  --data "audience=clientB"

I get different jwt:
{
  "jti": "f956218e-abcf-4017-a6b2-d9c3c82692a2",
  "exp": 1567062641,
  "nbf": 0,
  "iat": 1567062341,
  "iss": "http://localhost:8280/auth/realms/TestRPT",
  "aud": "clientB",
  "sub": "2d6224b8-a4c4-4a4b-b064-18a5ac07a607",
  "typ": "Bearer",
  "azp": "clientA",
  "auth_time": 0,
  "session_state": "4d556dd0-4d27-4028-ac1d-54afd2e1f20e",
  "acr": "1",
  "realm_access": {
    "roles": [
      "RoleB",
      "RoleA"
    ]
  },
  "authorization": {
    "permissions": [
      {
        "rsid": "e0dbd6bb-a4de-40bb-b017-4eba9a5a0139",
        "rsname": "Default Resource"
      }
    ]
  },
  "scope": "email profile",
  "email_verified": false,
  "preferred_username": "user"
}

Why "RoleB" is in RPT? Do I understand documentation wrong? Wrong RPT
request?

Our main target is: when user goes through clientA to clientB, clientB
should receive only those roles that the user has in clientA. We have many
applications-clients and we want to limit some of them. How can we achieve
this?

Thanks in advance.
Alexey Makarevich.