Role-Based Permission Causes UMA-Ticket Grant to Fail
Closed this issue · 2 comments
Even with the default js policy when I add a resource and link it to a Role-based permission I can no longer make use of the KeycloakProtectionClient. I have tried to debug and the decision comes back as false everytime. Additionally, I changed the code to have "response_mode" of type "permissions" so that I can see the result and it returns: "{"error":"access_denied","error_description":"not_authorized"}". I can call the Admin Api and get my resources/scopes just fine, but that is a hack that will not scale.
I feel like there is an appropriate way to stack permissions such that when the call is made to get a list of resources for the client in VerifyAccessToResource it will return everything the client can do when response_type permissions is provided and it will properly validate when response_type decision is provide but I can't seem to get anywhere.
Thanks ahead of any advice / help. The Scopes, Resources, Policies, Permissions, and Roles are attached.
Corey
Disclaimer: I am not associated with the project in any way.
I recently hit this issue when trying to use the library for a combination of API + UI purposes.
In my case, I was manually adding the protection client to the service collection on startup, but had not added the follow-up call to .AddHeaderPropagation().
You may want to check to ensure your headers contain the appropriate tokens from the client and / or that the http context is impersonating the current user as expected.
Closing as outdated