Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-19152

UMA: permission ticket request fails

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Done
    • 15.0.2
    • None
    • Authorization Services
    • NEW
    • NEW
    • ---
    • ---

    Description

      I created a confidential OIDC client test-uma-rs for a resource server with "Authorization Enabled".

      Now, following https://www.keycloak.org/docs/latest/authorization_services/#_service_protection_whatis_obtain_pat, I get a PAT using the client credentials grant with the client's id and secret with the following claims:

      {
        "exp": 1630421103,
        "iat": 1630420803,
        "jti": "34e200db-14c3-4cd1-a581-1239694e8d6c",
        "iss": "http://localhost:8084/auth/realms/demo",
        "aud": "account",
        "sub": "176335b9-8c06-4f9f-a992-9ec2a5c8c73a",
        "typ": "Bearer",
        "azp": "test-uma-rs",
        "acr": "1",
        "allowed-origins": [
          "https://localhost:9443"
        ],
        "realm_access": {
          "roles": [
            "offline_access",
            "uma_authorization",
            "default-roles-demo"
          ]
        },
        "resource_access": {
          "test-uma-rs": {
            "roles": [
              "uma_protection"
            ]
          },
          "account": {
            "roles": [
              "manage-account",
              "manage-account-links",
              "view-profile"
            ]
          }
        },
        "scope": "profile email",
        "email_verified": false,
        "clientId": "test-uma-rs",
        "clientHost": "172.24.0.1",
        "preferred_username": "service-account-test-uma-rs",
        "clientAddress": "172.24.0.1"
      }
      

      I can register a resource using this PAT:

      curl -H "Authorization: Bearer ..." -H "Content-Type: application/json" -d '{"name": "A name", "uri": "https://localhost:9443/a-name", "resource_scopes": ["read", "write"]}' http://localhost:8084/auth/realms/demo/authz/protection/resource_set
      
      {"name":"A name","owner":{"id":"1f8e6d79-bf85-47ca-8a66-ac95e7b22467","name":"test-uma-rs"},"ownerManagedAccess":false,"_id":"ab668570-469d-4ae1-b5dd-6e3039d90a38","uris":["https://localhost:9443/a-name"],"resource_scopes":[{"id":"3c724fcf-702a-419c-97af-234040106458","name":"read"},{"id":"e8f35c8d-6b8f-4ea4-b1c1-79909a0bc1b3","name":"write"}],"scopes":[{"id":"3c724fcf-702a-419c-97af-234040106458","name":"read"},{"id":"e8f35c8d-6b8f-4ea4-b1c1-79909a0bc1b3","name":"write"}]}
      

      However, if, following https://www.keycloak.org/docs/latest/authorization_services/#creating-permission-ticket, I try to request a permission ticket for the registered resource using the same PAT (which is not expired),

      curl -H "Authorization: Bearer ..." -H "Content-Type: application/json" -d '{"resource_id": "ab668570-469d-4ae1-b5dd-6e3039d90a38", "resource_scopes": ["read", "write"]}' http://localhost:8084/auth/realms/demo/authz/protection/permission
      

      the request fails with

      {"error":"invalid_bearer_token","error_description":"Could not obtain bearer access_token from request."}
      

      Attachments

        Activity

          People

            Unassigned Unassigned
            johakoch Johannes Koch
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: