I am trying to implement Keycloak Authorization in an API that essentially handles protected resources. There is a backend for which I created a confidential client in KeyCloak with Authorization enabled. The flow works if the requesting user is admin, otherwise a 403 Forbidden is returned.
Any time a new resource is added to my backend (or an existing one is deleted or modified) also the KeyCloak client is updated via the KeyCloak API. In order to grant or deny access to a certain resource and user my approach is the following (I am a newbie and don't really know what I am doing):
- The user authenticates in the frontend (for which a non confidential client exists in KeyCloak) and obtains a usual OAuth access token (standard auth code flow)
- The user requests a resource from my backend presenting his access token
- The backend requests a RTP token from the KeyCloak endpoint using the access token received from the user and the grant_type urn:ietf:params:oauth:grant-type:uma-ticket
- KeyCloak responds with an access token containing all permissions this specific user has
- The backend checks if the token is valid, decodes it and parses the permissions
Now I thought everything worked as planned, but the issue is that this only works if the requesting user is admin. If I use a non-admin user in step 4 I get a 403 Forbidden:
{ "error": "access_denied", "error_description": "not_authorized" }
Instead if I request the RTP using and access token with the role "admin" it works fine.
Can anybody point out what I am doing wrong?
Thanks!
Just found the problem - posting the solution here as it might help someone.
If not a single permission evaluates positive for this user KeyCloak will return a
403 Forbiddenand not as I expected a token with an empty authorization part or a token without the authorization part. So actually everything was working just fine, I just didn't understand.