[keycloak-user] Can't request resource permissions by resource name by service account client and not user
Or Harary
or at myobligo.com
Sun Jan 6 08:12:39 EST 2019
Please help anyone? Here is another example:
I have 2 clients - "ClientA" and "ClientB". Both of them are confidential
resource servers.
"ClientA" has "ResourceA", which is owned by "ClientA", and it has a
pemission to grant access to everyone. (script - $evaluation.grant())
I'm getting a bearer token for "ClientB" using client_credentials, and then
i'm trying to check if "ClientB" has permissions to access "ResourceA" in
"ClientA" like this:
curl -X POST
http://keycloak:8080/auth/realms/myrealm/protocol/openid-connect/token \
-H "Authorization: Bearer {access_token}" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d
"grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=ClientA&permission=ResourceA&response_mode=permissions"
This gives me a resource not found error.
But, if I search by the ID or the resource, in the "permission" param, like
this: "permission={RESOURCE_UUID}", it does work.
Shouldn't it be possible check by the name, if the check by id works?
On Thu, Jan 3, 2019 at 6:24 PM Or Harary <or at myobligo.com> wrote:
> Hey,
>
> I'm using version 4.8.1 and i'm trying to check resource permissions on
> another client with the token endpoint, by the resource name, with a
> client's access token, and i'm getting "Resource with id [{resourceId}]
> does not exist".
>
> I have a service account client "foobarservice". I want this service
> account client, to check his permissions on a "foobaresource" resource from
> another client "otherservice".
>
> myrealm
> -- "foobarservice" Service Account Client
> -- -- foobar resource (with always grant policy and permission)
> -- "otherservice" Service Account Client
>
> I did "client_credentials" login with the "foobarservice" and got an
> access_token. With that token, I tried:
>
> curl -X POST
> http://keyclok:8080/auth/realms/myrealm/protocol/openid-connect/token \
> -H "Authorization: Bearer {foobarservice_access_token}" \
> -H "Content-Type: application/x-www-form-urlencoded" \
> --data
> "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=otherservice&permission=foobaresource&response_mode=permissions"
>
> And got 400 bad request with the not found error.
>
> When i'm doing the same request with some user's token, it works well.
>
> I looked into the code (my knowledge of JAVA is very basic) and it seems
> to be because of this:
>
> https://github.com/keycloak/keycloak/blob/f4f68438870768ac6cc18012cfae278f9ac1e163/services/src/main/java/org/keycloak/authorization/authorization/AuthorizationTokenService.java#L421
>
> Is this the expected behavior? or a bug? Because when I used version 3.4
> it did work
>
> Thanks,
> Or
>
More information about the keycloak-user
mailing list