Keycloak: Unable to get RPT using resource name
Question
I'm trying to get RPT without permission ticket only using resource names. While this method works when working with policies, it doesn't seem to work with users sharing their resources through account page (returns access denied). For some reason when user A shares a resource with user B, user B can get RPT for this resource only if he:
a) Requests all his permissions
or
b) Requests specific permissions by id (not name)
Is this intended behaviour? If so how can i overcome this problem and still use only resource names?
Getting RPT by resource name (doesn't work with sharing):
curl "$PROTOCOL://$HOST:$PORT/auth/realms/$REALM/protocol/openid-connect/token" \
-H "Authorization: Bearer $ACCESS_TOKEN" \
--data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&permission=$RESOURCE_NAME&audience=$RESOURCE_CLIENT_ID"
Getting RPT by resource id (works with sharing):
curl "$PROTOCOL://$HOST:$PORT/auth/realms/$REALM/protocol/openid-connect/token" \
-H "Authorization: Bearer $ACCESS_TOKEN" \
--data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&permission=$RESOURCE_ID&audience=$RESOURCE_CLIENT_ID"
Getting RPT for all resources (works with sharing):
curl "$PROTOCOL://$HOST:$PORT/auth/realms/$REALM/protocol/openid-connect/token" \
-H "Authorization: Bearer $ACCESS_TOKEN" \
--data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=$RESOURCE_CLIENT_ID"
1 answers
solution1
0 ACCPTED 2019-04-12 15:05:49
此问题已在6.0版中修复
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.