Keycloak Authorization Issue with JS and Python

Hi everyone.

I raised an issue with gogole groups for keycloak users, but seems like this forum is more active, so I’ll post it here as well.

I’m implementing Keycloak v21, and I have two clients that need to be protected via authentication and authorization (sort of). The clients are my web app and api.

Our requirements dictate that we use Keycloak for authentication flow, and retrieve the permissions/scopes from:

  • https://localhost:8443/realms/<realm_name>/protocol/openid-connect/token
  • grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&client_id=<webapp/api client>

Where we would use the scopes to restrict access to our resources in the application level to reduce the number of calls required to authorize access.

tldr. I need two api calls to keycloak service, authentication request, and permissions request from access token.

For the webapp, I am using keycloak.js (21.0.2) for authentication and keycloak-auth.js (4.8.3) for permissions retrieval.


  1. It might be my lack of understanding, but when I:
let initOptions = {
        url: <keycloak_url>, 
        realm: <realm_name>, 
        clientId: <client_name>,
        clientSecret: <client_secret>,
        checkLoginIframe: false,
        flow: "implicit",
        scope: "openid",
        onLoad: 'login-required'

      const keycloak = new Keycloak(initOptions);
      keycloak.init({ onLoad: initOptions.onLoad, checkLoginIframe: initOptions.checkLoginIframe, flow: initOptions.flow, scope: initOptions.scope })
        .then((auth) => {
          if (auth) {
            // ----------------------
            // authorization
            const authorization = new KeycloakAuthorization(keycloak)
            authorization.entitlement(<client_name>).then( function (rpt) {
            // ----------------------
            console.log("user is authenticated")
          } else {
            console.log("user is not authenticated")
        .catch(err => {
          console.error('error initializing Keycloak: ', err)

apparently _instance.config.token_endpoint is missing, which is odd since if I console.log(authorization) object, i can see the config.token_endpoint.

  1. For testing, I set the config.token_endpoint in keycloak_authz.js to the appropriate url, but I run into another issue:
    {error: "server_error", error_description: "Unexpected error while evaluating permissions"}
    I’m assuming it’s due to one of two things:
  • Bad implementation of authorization entitlement on my part, but
    there is not much documentation on this I can find,
  • Implicit flow doesn’t allow the retrieval of RPT Token or some of my authentication
    configurations are incorrect for this use-case.
  1. I’m having a similar issue with python-keycloak 2.15.3, where keycloak_openid.entitlement keeps returning 404 saying resource id doesn’t exist. I put in all possible options for resource id, but seems like the correct answer is using the client id.
keycloak_openid = KeycloakOpenID(
    token = keycloak_openid.token("<username>", "<password>")
    rpt = keycloak_openid.entitlement(token['access_token'], "<client_id>")

I’d be happy to privately provide the rest of the configurations and realm export if someone
wants to reproduce this error!

Thank you in advance!

I can confirm authentication of both JS and python works, its just authorization is what I am having issues with.