Keycloak cannot get RPT with Permissions using service account token

Question

I am using Keycloak: 4.8.3.Final

I have the following clients in Keycloak

• UserService

• InventoryService

InventoryService has some resources defined in Keycloak and Authorization enabled.

UserService (as a service-account) has the necessary client-roles assigned in the service-account-roles tab

Whenever someone tries to access the APIs of InventoryService, I do the following:

• Get the access token from the Authorization Header
• get RPT (as mentioned here )
• introspect the RPT if the desired permissions are present or not.

I am getting the following error response when the UserService tries to access the apis of InventoryService

{
  "error": "invalid_resource",
  "error_description": "Resource with id [item] does not exist."
}

Here is the code snippet in java.

I am getting the following error response when the UserService tries to access the apis of InventoryService

AuthorizationResource authResource = authzClient.authorization(at);
AuthorizationRequest request = new AuthorizationRequest();
request.addPermission(resourceId, scopes);
AuthorizationResponse authResponse = authResource.authorize(request);
String rpt = authResponse.getToken();

When I remove the line request.addPermission(resourceId, scopes); I am able to get an RPT with all the list of Permissions. but if I include it the above error is thrown.

Btw, one more observation is: the above code snippet works fine when the token belongs to a User (not a service account).

Can any let me know what is happening? Is this a bug in Keycloak?

Answer 1

This problem persists in KeyCloak 11.0.2. Service accounts are explicitly excluded in the authorization token service.

However, you can work around this by setting the azp claim to something other than your client_id via a protocol mapper on your client.

.