Keycloak docs on OpenID Connect states that
The access token is digitally signed by the realm and contains access information (like user role mappings) that the application can use to determine what resources the user is allowed to access on the application.
Is it possible to determine from the access token returned by Keycloak after authentication what resources a user is allowed to access? Following the keycloak quickstart's instructions on Obtaining an OAuth2 Access Token, i get the following JWT (with not relevant fields ommitted) :
{
"aud": "app-authz-springboot",
"sub": "9c6c4a66-bb14-420f-a8af-3b2771266b38",
"typ": "Bearer",
"azp": "app-authz-springboot",
"realm_access": {
"roles": [
"user"
]
},
"resource_access": {},
"preferred_username": "alice"
}
There's an empty field
resource_access
Is there any way to fill it with the resources a user has access to? What's the specification of this field? Couldn't find it in JWT RFC or OpenID Connect Spec
I attempted another way that worked:
Obtaining the access token using password credentials flow
Exchanging the obtained token for rpt with slight modification adding response_mode argument:
curl -v -X POST \ http://localhost:8180/auth/realms/spring-boot-quickstart/protocol/openid-connect/token \ -H "Authorization: Bearer "$access_token \ --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \ --data "audience=app-authz-rest-springboot" \ --data "permission=Default Resource" --data "response_mode=decision"
However this solution requires dispatching 2 requests to Keycloak to determine if a user is allowed a specific resource.
