Access denied for RPT token after upgrade to version15 when resource is on a different client

Securing applications
1

We have a problem after upgrading our keycloak from version 4 to version 15 when check user permissions to access protected resource in different clients.

Our configuration: a realm with few private clients , each one represent a separate microservice with REST API endpoints. There is also one private client (entrance_client) all user logins go to, as we have to supply client id / secret when obtain user access token:

curl https://{{keycloak url}}/realms//protocol/openid-connect/token
-H “Content-Type: application/x-www-form-urlencoded”
-d “grant_type=password&username=&password=&client_id=<entrance_client>&client_secret={{client secret}}”

To check if user has access to execute a resource on other clients (e.g. client1, client2) we can issue a Permission ticket via :

/authz/protection/permission
-H ‘Authorization: Bearer {{Access Token}}’
–data ’ [{“resource_id”: }]’

With this permission ticket we can request RPT

curl --X POST ‘http://{{keycloak}}/auth/realms//protocol/openid-connect/token’
–header ‘Content-Type: application/x-www-form-urlencoded’
–header 'Authorization: Bearer {{Access Token}}
–data-urlencode ‘grant_type=urn:ietf:params:oauth:grant-type:uma-ticket’
–data-urlencode ‘ticket={{Permission Ticket}}’

Now the problem. In the old version we could receive RPT if the user has access to the resource via some realm role policy. with a current version,this request always return {“error”:“access_denied”,“error_description”:“request_submitted”}

regardless of user access rights…

if issue original user access token from the resource owner (client1 , 2) context by sending client1 id / secret, the same flow works correct and returns RPT in case user can access protected resource on client1.

Also, client Authorize / Evaluate UI still works correctly. If we open client1 client, Evaluate user permissions to request protected resource , specifying client = <entrance_client> , it works fine and returns correct RPT . it uses a different endpoint called /evaluate of course…

is there anything special required, for the users with access token issued by entrance_client client to be able to correctly obtain RPT tokens for the resources in other private clients in the same realm in the version 15?

Perhaps there is any hint we can verify before we contact RedHat SSO support for the same

Thanks in advance

2

The problem is a token used to issue a ticket. In the beta version 4, we could issue a ticket regardless of client (resource owner) using the same entrance_client access token. Now this is only possible if we use client1 access token to issue a ticket, if we verify authorization for the resource from client1. The only difference in ticket would be apd (Authorization party issued a token), so i think some new code was added to look at the apd. It is either not possible at all anymore or perhaps there is some configuration allows to use ticket issued by apd=entrance_client for the resource in other client. i tried to play with audience parameter when obtain RPT token (last step), it did not help either.