New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Docs: authorization_services/topics/service-authorization-discovery-document.adoc - include grantType Token required for obtaining permissions for user in Documentation #29093
Comments
Hi @shalphaaslam - not sure how the referenced doc can be updated in this case, as it only describes the authz service discovery document. It doesn't have any text mentioning how to use the token endpoint there. |
Hi @sguilhen, yes as you said the document only mentions the authorization endpoint to use for fetching user permission. However, there is no mention of supported access token of grant type standard flow. But the document highlights the need of client credentials granttype access token for accessing permission APIs that creates, updates and deletes the resources in keycloak. Should we need to include the information of needing access token of standard Flow grant type for fetching RPT for better understanding? |
I'm wondering what the bearer token looks like and how you obtained it before executing the We have usages of bearer tokens issued to public clients (authorization grant type) or to confidential clients (using resource owner or client credentials grant). |
@shalphaaslam are you able to use the access token from the password grant to invoke other endpoints? Or does it fail only for the token endpoint? Also, are you by any chance using an external IDP to authenticate? |
Thanks for reporting this issue, but there is insufficient information or lack of steps to reproduce. Please provide additional details, otherwise this issue will be automatically closed within 14 days. |
@sguilhen , I dont use external IDP to authenticate. access token from the password grant to invoke other endpoints works but fails when I try to fetch RPT for the user. I tried using authorization endpoints with the access token from the password grant but it failed. when I pass the access token from the authorization code flow, it worked. |
@shalphaaslam Using the password grant should work too. If you can provide a reproducer, it should help to understand what is going on. In theory, using the password grant or the code flow has no real difference as both flows are authenticating an end-user/resource owner. |
To reproduce, I want to fetch RPT with below command First passed access-token fetched using password granttype like below secondly, passed access-token using auth code grant type fetched like:
|
Update: I also noticed invalid signature in the token fetched using authorization code flow grant type despite proper configuration in keycloak while decoding access token in jwt.io. I use postman to fetch token using authorization code flow grant type or make curl commands twice to fetch auth code first and then another command to fetch access token using the auth code received from previous command. Also, I use Curl to fetch access token for password grantType whose signature is valid when decoded but it fails the RPT request made to keycloak. |
To help reproduce the issue: Here you can find my entire keycloak setup, js policy and realm configuration json file |
Before reporting an issue
Area
authorization-services
Describe the bug
File: authorization_services/topics/service-authorization-discovery-document.adoc
Version
24.0.3
Regression
Expected behavior
Obtaining permission for a user should work if I pass access token fetched from grantType password
curl -X POST
http://${host}:${port}/realms/${realm}/protocol/openid-connect/token
-H "Authorization: Bearer ${access_token}"
--data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket"
--data "audience={resource_server_client_id}"
--data "permission=Resource A#Scope A"
--data "permission=Resource B#Scope B"
Actual behavior
It fails as
{ "error": "invalid_grant", "error_description": "Invalid bearer token" }
with exception in keycloak as permission_token_error like below[org.keycloak.events] (executor-thread-11) type="PERMISSION_TOKEN_ERROR", realmId="3b897f33-1700-4ee8-9de8-2ae13f92d89c", clientId="account", userId="null", ipAddress="172.26.0.1", error="invalid_token", auth_method="oauth_credentials", grant_type="urn:ietf:params:oauth:grant-type:uma-ticket"
However, it worked if I pass access_token generated by standard_flow authentication grantType
How to Reproduce?
Anything else?
No response
The text was updated successfully, but these errors were encountered: