INVALID SCOPE managing Resources and Scopes (Authorization Services)

Hello,

managing resources and scopes I create a new Resource, a new Scope, a new Policy and a new Permission (following the documentation) .
The result in the image:

In my Java project my keycloak.json file looks like:

*{*
*  "realm": "demo",*
*  "auth-server-url": "http://localhost:8080/auth/",*
*  "ssl-required": "external",*
*  "resource": "auth-gateway",*
*  "credentials": {*
*    "secret": "caeb9492-6138-42ff-b819-69b25c09b993"*
*  },*
*  "use-resource-role-mappings": true,*
*  "confidential-port": 0,*
*  "policy-enforcer": {*
*    "user-managed-access": {},*
*    "enforcement-mode": "PERMISSIVE",*
*    "paths": [*
*      {*
*        "path": "/rest/{keyspace}/nodes/{label}",*
*        "methods": [*
*          {*
*            "method": "GET",*
*            "scopes": [*
*              "urn:auth-gateway:scopes:view"*
*            ]*
*          }*
*        ]*
*      }*
*    ]*
*  }*
*}*

With this policy-enforcer my goal would be associate the created scope “view” to the http method GET.

I think I’m missing some configuration steps, from Postman:

<body>

<h1>HTTP Status 500 – Internal Server Error</h1>

<hr class="line" />

<p><b>Type</b> Exception Report</p>

<p><b>Message</b> Failed to enforce policy decisions.</p>

<p><b>Description</b> The server encountered an unexpected condition that prevented it from fulfilling the request.

</p>

<p><b>Exception</b></p>

<pre>java.lang.RuntimeException: Failed to enforce policy decisions.

org.keycloak.adapters.AuthenticatedActionsHandler.isAuthorized(AuthenticatedActionsHandler.java:165)

org.keycloak.adapters.AuthenticatedActionsHandler.handledRequest(AuthenticatedActionsHandler.java:60)

org.keycloak.adapters.tomcat.AbstractAuthenticatedActionsValve.invoke(AbstractAuthenticatedActionsValve.java:62)

org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:666)

org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:181)

org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)

org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:688)

org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)

org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:373)

org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)

org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)

org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1594)

org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)

java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)

java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)

org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

java.lang.Thread.run(Thread.java:748)

</pre>

<p><b>Root Cause</b></p>

<pre>java.lang.RuntimeException: Error creating permission ticket

org.keycloak.authorization.client.util.Throwables.retryAndWrapExceptionIfNecessary(Throwables.java:91)

org.keycloak.authorization.client.resource.PermissionResource.create(PermissionResource.java:93)

org.keycloak.authorization.client.resource.PermissionResource.create(PermissionResource.java:68)

org.keycloak.adapters.authorization.KeycloakAdapterPolicyEnforcer.getPermissionTicket(KeycloakAdapterPolicyEnforcer.java:199)

org.keycloak.adapters.authorization.KeycloakAdapterPolicyEnforcer.challenge(KeycloakAdapterPolicyEnforcer.java:102)

org.keycloak.adapters.authorization.AbstractPolicyEnforcer.authorize(AbstractPolicyEnforcer.java:137)

org.keycloak.adapters.authorization.PolicyEnforcer.enforce(PolicyEnforcer.java:95)

org.keycloak.adapters.AuthenticatedActionsHandler.isAuthorized(AuthenticatedActionsHandler.java:156)

org.keycloak.adapters.AuthenticatedActionsHandler.handledRequest(AuthenticatedActionsHandler.java:60)

org.keycloak.adapters.tomcat.AbstractAuthenticatedActionsValve.invoke(AbstractAuthenticatedActionsValve.java:62)

org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:666)

org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:181)

org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)

org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:688)

org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)

org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:373)

org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)

org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)

org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1594)

org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)

java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)

java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)

org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

java.lang.Thread.run(Thread.java:748)

</pre>

<p><b>Root Cause</b></p>

<pre>org.keycloak.authorization.client.util.HttpResponseException: Unexpected response from server: 400 &#47; Bad Request &#47; Response from server: {&quot;error&quot;:&quot;invalid_scope&quot;,&quot;error_description&quot;:&quot;Scope [urn:auth-gateway:scopes:view] is invalid&quot;}

org.keycloak.authorization.client.util.HttpMethod.execute(HttpMethod.java:95)

org.keycloak.authorization.client.util.HttpMethodResponse$2.execute(HttpMethodResponse.java:50)

org.keycloak.authorization.client.resource.PermissionResource$1.call(PermissionResource.java:87)

org.keycloak.authorization.client.resource.PermissionResource$1.call(PermissionResource.java:81)

org.keycloak.authorization.client.resource.PermissionResource.create(PermissionResource.java:91)

org.keycloak.authorization.client.resource.PermissionResource.create(PermissionResource.java:68)

org.keycloak.adapters.authorization.KeycloakAdapterPolicyEnforcer.getPermissionTicket(KeycloakAdapterPolicyEnforcer.java:199)

org.keycloak.adapters.authorization.KeycloakAdapterPolicyEnforcer.challenge(KeycloakAdapterPolicyEnforcer.java:102)

org.keycloak.adapters.authorization.AbstractPolicyEnforcer.authorize(AbstractPolicyEnforcer.java:137)

org.keycloak.adapters.authorization.PolicyEnforcer.enforce(PolicyEnforcer.java:95)

org.keycloak.adapters.AuthenticatedActionsHandler.isAuthorized(AuthenticatedActionsHandler.java:156)

org.keycloak.adapters.AuthenticatedActionsHandler.handledRequest(AuthenticatedActionsHandler.java:60)

org.keycloak.adapters.tomcat.AbstractAuthenticatedActionsValve.invoke(AbstractAuthenticatedActionsValve.java:62)

org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:666)

org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:181)

org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)

org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:688)

org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)

org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:373)

org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)

org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)

org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1594)

org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)

java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)

java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)

org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

java.lang.Thread.run(Thread.java:748)

</pre>

<p><b>Note</b> The full stack trace of the root cause is available in the server logs.</p>

<hr class="line" />

<h3>Apache Tomcat/9.0.33</h3>

</body>

Thanks in advance.

Hi. I’m having the exact same problem. Whenever I configure any property under keycloak.policy-enforcer-config in application.settings the app throws 500 Error.

I created a new Spring Boot app with Spring Security and followed the setup of one of the quickstarter guides but I always get the same error.

Any idea what it could be? If required I can provide further info.