4

I am to struggling to find it but I can't find a solution. Does anyone help me?

Here is my try. #1 First find PAT (Protection API Token) enter image description here

#2 get the permission ticket list enter image description here

#3 try get RPT but got "Ticket verification failed" error. enter image description here

#4 This source code for this error but I am not familiar with the source.

    private PermissionTicketToken verifyPermissionTicket(KeycloakAuthorizationRequest request) {
        String ticketString = request.getTicket();

        PermissionTicketToken ticket = request.getKeycloakSession().tokens().decode(ticketString, PermissionTicketToken.class);
        if (ticket == null) {
            throw new CorsErrorResponseException(request.getCors(), "invalid_ticket", "Ticket verification failed", Status.FORBIDDEN);
        }

It copy from source file(AuthorizationTokenService.java) on line 670. enter image description here

https://www.keycloak.org/docs/latest/authorization_services/#_service_overview

Bench Vue
  • 5,257
  • 2
  • 10
  • 14

2 Answers2

5

I spent a lot of time trying to get the RPT and i finally found a solution.

So first you have to get a normal token with the grant_type password :

enter image description here

Then you ask for the party token with the access_token you received, this time your grant_type will be "urn:ietf:params:oauth:grant-type:uma-ticket"

enter image description here

NOTE: here the audience property is the client_id

segito10
  • 379
  • 6
  • 14
  • Hello, would it be possible the paste the entire request here. It is very confusing for me and I cannot get it working :( – avimehenwal Aug 22 '22 at 18:37
  • Hi @avimehenwal, what do you mean about the entire request? The screenshots I posted are the requests – segito10 Aug 26 '22 at 11:03
1

That's quite an advanced / emerging standard you are looking at. User Managed Access is related to User A granting resource access to other users based on verifiable preconditions.

Is that really what you are trying to do? If you can explain your scenario / requirements - eg what components there are - we may be able to suggest a simpler / alternative solution .

Gary Archer
  • 22,534
  • 2
  • 12
  • 24
  • 1
    I want to makes a resource server and authorization server on Keycloak. The resource server means provides a custom resource HTTP get/post methods by REST API call. examples for getting a book list. booklist is one of the resources. I found Keycloak support UMA(User Management Access) 2 compliance API. It's token called Protection API Token(PAT). This is documentation. https://docs.kantarainitiative.org/uma/wg/rec-oauth-uma-grant-2.0.html Scenario set the resource server -> get permission ticket -> get RPT -> call API -> get resource. – Bench Vue Oct 01 '20 at 01:47
  • I'm wondering if that's the right flow for you though, or if the Keycloak documentation is confusing things? The most standard option is for a client (eg a UI) to authenticate + get an access token, send it to the API, then the API verifies the token. See steps 4, 8, 15 and 16 of my [Messages Blog Post](https://authguidance.com/2017/09/26/basicspa-oauthworkflow/). Would that work for you if you could do it in Keycloak? – Gary Archer Oct 01 '20 at 07:49
  • 1
    Yep, Keycloak documentation is confusing not a crystal clear. Your post is OAuth flow not UMA flow. UMA 2 is a ‘party-to-party’ authorization protocol based on the OAuth2 authorization framework. grant_type is "urn:ietf:params:oauth:grant-type:uma-ticket" This is clean documentation example. https://backstage.forgerock.com/docs/am/6/uma-guide/ – Bench Vue Oct 01 '20 at 10:19
  • Ok cool - so you need the more advanced options then, since you have specific requirements around external party resource access after a user has consented. I've read about UMA but have not implemented it - very few authorization servers support it. My comments were just in case you were heading down a wrong technical path. Good luck - your best options are the Keycloak resources I think. – Gary Archer Oct 01 '20 at 12:32