unable to create a resource in keycloak server getting "error":"invalid_bearer_token"

Question

I am trying to create a resource from keycloak from this link for that we need a PAT here here is how i am getting a pat

curl -X POST \
    -H "Content-Type: application/x-www-form-urlencoded" \
    -d 'grant_type=client_credentials&client_id=demo&client_secret=a33d75c5-db09-40a9-a8d4-22bc3a50c2a0' \
    "http://0.0.0.0:8080/auth/realms/company2/protocol/openid-connect/token"

got the response

"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJ6MkJnYjdoelVPWUY0dUU4YTZuR0FYeUNPNTlMTjZlQWtYT0xKajRPdFJ3In0.eyJleHAiOjE2MTk2MTQ0NDEsImlhdCI6MTYxOTYxMTQ0MSwianRpIjoiNzRkOWVhZWEtMjQzNi00MGQyLTg0YzYtY2VmOTMwMzNmYjA2IiwiaXNzIjoiaHR0cDovLzAuMC4wLjA6ODA4MC9hdXRoL3JlYWxtcy9jb21wYW55MiIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiIwZWRiMGZlZC05YzFiLTQwYTEtYWZjZS02YzRkODcwMzBmNDIiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJpbnRlcnByZXQiLCJhY3IiOiIxIiwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iXX0sInNjb3BlIjoiZW1haWwgcHJvZmlsZSIsInJlc291cmNlX2FjY2VzcyI6eyIucm9sZXMiOlsidW1hX3Byb3RlY3Rpb24iLCJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19LCJjbGllbnRIb3N0IjoiMTcyLjE4LjAuMSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwiY2xpZW50SWQiOiJpbnRlcnByZXQiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJzZXJ2aWNlLWFjY291bnQtaW50ZXJwcmV0IiwiY2xpZW50QWRkcmVzcyI6IjE3Mi4xOC4wLjEifQ.cyjhR6V4YPhO8zythMbnUJw27grcXDM0U-WK5Pvhkf7z8MYziH19kfrB58dgQBD4VB0Ib1-eMbu0P4moWEE4O4VNWUTRoYTKCCUqLV6whb45vmh8lGomu6dIKSxAYHWaYGHKh5_rCqJkjHSzW6nKC2xOhumXFYnnVHWL9c9JQLixV4o6mEU_dSRCeSbgXfsfXz872EENBgPcjrwvaXUZKf2EX0YBm50O6hUzgM391I66PBueCNGnxRvh1XaSErc9tsDdfJD2AhLijtp7ueQUMuxZ5j44e98wvHVFPy6IPD3ecOBX4ONpVcwxtlu3ioUlhJ528xJr2DuoZ-Zk-VQNIQ","expires_in":3000,"refresh_expires_in":0,"token_type":"Bearer","not-before-policy":0,"scope":"email profile"}

creating a resource

curl -v -X POST \
>   http://0.0.0.0:8080/auth/realms/company2/authz/protection/resource_set \
>   -H 'Authorization: Bearer 'eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJ6MkJnYjdoelVPWUY0dUU4YTZuR0FYeUNPNTlMTjZlQWtYT0xKajRPdFJ3In0.eyJleHAiOjE2MTk2MTQ0NDEsImlhdCI6MTYxOTYxMTQ0MSwianRpIjoiNzRkOWVhZWEtMjQzNi00MGQyLTg0YzYtY2VmOTMwMzNmYjA2IiwiaXNzIjoiaHR0cDovLzAuMC4wLjA6ODA4MC9hdXRoL3JlYWxtcy9jb21wYW55MiIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiIwZWRiMGZlZC05YzFiLTQwYTEtYWZjZS02YzRkODcwMzBmNDIiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJpbnRlcnByZXQiLCJhY3IiOiIxIiwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iXX0sInNjb3BlIjoiZW1haWwgcHJvZmlsZSIsInJlc291cmNlX2FjY2VzcyI6eyIucm9sZXMiOlsidW1hX3Byb3RlY3Rpb24iLCJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19LCJjbGllbnRIb3N0IjoiMTcyLjE4LjAuMSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwiY2xpZW50SWQiOiJpbnRlcnByZXQiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJzZXJ2aWNlLWFjY291bnQtaW50ZXJwcmV0IiwiY2xpZW50QWRkcmVzcyI6IjE3Mi4xOC4wLjEifQ.cyjhR6V4YPhO8zythMbnUJw27grcXDM0U-WK5Pvhkf7z8MYziH19kfrB58dgQBD4VB0Ib1-eMbu0P4moWEE4O4VNWUTRoYTKCCUqLV6whb45vmh8lGomu6dIKSxAYHWaYGHKh5_rCqJkjHSzW6nKC2xOhumXFYnnVHWL9c9JQLixV4o6mEU_dSRCeSbgXfsfXz872EENBgPcjrwvaXUZKf2EX0YBm50O6hUzgM391I66PBueCNGnxRvh1XaSErc9tsDdfJD2AhLijtp7ueQUMuxZ5j44e98wvHVFPy6IPD3ecOBX4ONpVcwxtlu3ioUlhJ528xJr2DuoZ-Zk-VQNIQ \
>   -H 'Content-Type: application/json' \
>   -d '{
>      "name":"Tweedl Social Service",
>      "type":"http://www.example.com/rsrcs/socialstream/140-compatible",
>      "icon_uri":"http://www.example.com/icons/sharesocial.png",
>      "resource_scopes":[
>          "read-public",
>          "post-updates",
>          "read-private",
>          "http://www.example.com/scopes/all"
>       ]
>   }'

got the response

Note: Unnecessary use of -X or --request, POST is already inferred.
*   Trying 0.0.0.0:8080...
* TCP_NODELAY set
* Connected to 0.0.0.0 (127.0.0.1) port 8080 (#0)
> POST /auth/realms/company2/authz/protection/resource_set HTTP/1.1
> Host: 0.0.0.0:8080
> User-Agent: curl/7.68.0
> Accept: */*
> Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJ6MkJnYjdoelVPWUY0dUU4YTZuR0FYeUNPNTlMTjZlQWtYT0xKajRPdFJ3In0.eyJleHAiOjE2MTk2MTQ0NDEsImlhdCI6MTYxOTYxMTQ0MSwianRpIjoiNzRkOWVhZWEtMjQzNi00MGQyLTg0YzYtY2VmOTMwMzNmYjA2IiwiaXNzIjoiaHR0cDovLzAuMC4wLjA6ODA4MC9hdXRoL3JlYWxtcy9jb21wYW55MiIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiIwZWRiMGZlZC05YzFiLTQwYTEtYWZjZS02YzRkODcwMzBmNDIiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJpbnRlcnByZXQiLCJhY3IiOiIxIiwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iXX0sInNjb3BlIjoiZW1haWwgcHJvZmlsZSIsInJlc291cmNlX2FjY2VzcyI6eyIucm9sZXMiOlsidW1hX3Byb3RlY3Rpb24iLCJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19LCJjbGllbnRIb3N0IjoiMTcyLjE4LjAuMSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwiY2xpZW50SWQiOiJpbnRlcnByZXQiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJzZXJ2aWNlLWFjY291bnQtaW50ZXJwcmV0IiwiY2xpZW50QWRkcmVzcyI6IjE3Mi4xOC4wLjEifQ.cyjhR6V4YPhO8zythMbnUJw27grcXDM0U-WK5Pvhkf7z8MYziH19kfrB58dgQBD4VB0Ib1-eMbu0P4moWEE4O4VNWUTRoYTKCCUqLV6whb45vmh8lGomu6dIKSxAYHWaYGHKh5_rCqJkjHSzW6nKC2xOhumXFYnnVHWL9c9JQLixV4o6mEU_dSRCeSbgXfsfXz872EENBgPcjrwvaXUZKf2EX0YBm50O6hUzgM391I66PBueCNGnxRvh1XaSErc9tsDdfJD2AhLijtp7ueQUMuxZ5j44e98wvHVFPy6IPD3ecOBX4ONpVcwxtlu3ioUlhJ528xJr2DuoZ-Zk-VQNIQ
> Content-Type: application/json
> Content-Length: 330
> 
* upload completely sent off: 330 out of 330 bytes
* Mark bundle as not supporting multiuse
< HTTP/1.1 403 Forbidden
< X-XSS-Protection: 1; mode=block
< X-Frame-Options: SAMEORIGIN
< Referrer-Policy: no-referrer
< Date: Wed, 28 Apr 2021 12:04:45 GMT
< Connection: keep-alive
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< X-Content-Type-Options: nosniff
< Content-Type: application/json
< Content-Length: 105
< 
* Connection #0 to host 0.0.0.0 left intact
{"error":"invalid_bearer_token","error_description":"Could not obtain bearer access_token from request."}

my client service account is enabled under service account roles i can see the client role uma_protection assigned to my client

here is my authorization settings

{
  "allowRemoteResourceManagement": true,
  "policyEnforcementMode": "ENFORCING",
  "resources": [
    {
      "name": "Default Resource",
      "type": "urn:demo:resources:default",
      "ownerManagedAccess": false,
      "attributes": {},
      "_id": "31e26fd7-ae64-4c0e-add1-714231c517ed",
      "uris": [
        "/*"
      ]
    }
  ],
  "policies": [
    {
      "id": "4a6c8560-ac42-4ba6-81b8-101e10a4571a",
      "name": "Default Policy",
      "description": "A policy that grants access only for users within this realm",
      "type": "js",
      "logic": "POSITIVE",
      "decisionStrategy": "AFFIRMATIVE",
      "config": {}
    },
    {
      "id": "b00f3907-497b-45e1-8463-0fc11bf2f69c",
      "name": "Default Permission",
      "description": "A permission that applies to the default resource type",
      "type": "resource",
      "logic": "POSITIVE",
      "decisionStrategy": "UNANIMOUS",
      "config": {
        "defaultResourceType": "urn:demo:resources:default",
        "applyPolicies": "[]"
      }
    }
  ],
  "scopes": [],
  "decisionStrategy": "UNANIMOUS"
}

what i am missing here ?

Did you find a solution? i have the same problem – hymenoby Apr 07 '22 at 15:32 — hymenoby, Apr 07 '22 at 15:32

unable to create a resource in keycloak server getting "error":"invalid_bearer_token"

0 Answers0