I am using Keycloak: 4.8.3.Final
I have the following clients in Keycloak
UserService
InventoryService
InventoryService has some resources defined in Keycloak and Authorization enabled.
UserService (as a service-account) has the necessary client-roles assigned in the service-account-roles tab
Whenever someone tries to access the APIs of InventoryService, I do the following:
I am getting the following error response when the UserService tries to access the apis of InventoryService
{
"error": "invalid_resource",
"error_description": "Resource with id [item] does not exist."
}
Here is the code snippet in java.
I am getting the following error response when the UserService tries to access the apis of InventoryService
AuthorizationResource authResource = authzClient.authorization(at);
AuthorizationRequest request = new AuthorizationRequest();
request.addPermission(resourceId, scopes);
AuthorizationResponse authResponse = authResource.authorize(request);
String rpt = authResponse.getToken();
When I remove the line request.addPermission(resourceId, scopes); I am able to get an RPT with all the list of Permissions. but if I include it the above error is thrown.
Btw, one more observation is: the above code snippet works fine when the token belongs to a User (not a service account).
Can any let me know what is happening? Is this a bug in Keycloak?
This problem persists in KeyCloak 11.0.2. Service accounts are explicitly excluded in the authorization token service.
However, you can work around this by setting the azp
claim to something other than your client_id
via a protocol mapper on your client.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.