"Ticket verification failed" when trying to get RPT

Securing applications
1

Hi everyone,

I have a SpringBoot Rest API that I am trying to protect with Keycloak Authorization Services using UMA. I am trying to get access to a resource with the owner being my client (my resource server). The User Managed Access is enabled on this resource, as well as for the realm and for my resource server. I send the requests using CURL according to the flow described below, where the requester is a user “jdoe” which complies with the policy I associated to the permission for this resource:

  1. I created a permission ticket:

curl -X POST
http://localhost:8180/auth/realms/springboot-uma/authz/protection/permission/ticket
-H 'Authorization: Bearer '$pat
-H ‘Content-Type: application/json’
-d {
“resource”: “3816b434-f5b4-41de-b372-ce502fd85e81”,
“requester”: “bad66fae-9ff4-4999-b87f-85b61d7f9362”,
“granted”: true,
“scopeName”: “profile:view” }

  1. I get a PAT:

export pat=(curl -X POST \ -H "Content-Type: application/x-www-form-urlencoded" \ -d 'grant_type=client_credentials&client_id=umaresourceserver&client_secret=secret' \ "http://{host}:${port}/auth/realms/springboot-uma/protocol/openid-connect/token" |
jq --raw-output ‘.access_token’
)

  1. I get the permission ticket:

export permission_ticket=(curl http:// {host}:${port}/auth/realms/springboot-uma/authz/protection/permission/ticket
-H 'Authorization: Bearer '$pat )

and it looks like this:

{
“id”: “d016b9ee-c6e3-403a-b6b3-edbe7fd08ff4”,
“owner”: “71ad9804-cb58-48c1-a3cd-434a57fc78e4”,
“resource”: “3816b434-f5b4-41de-b372-ce502fd85e81”,
“scope”: “428f01b7-4d7d-4acd-9e33-f0e63959c33b”,
“granted”: true,
“requester”: “bad66fae-9ff4-4999-b87f-85b61d7f9362”
}

  1. In the end, I am trying to get a RPT using the permission ticket like this:

export rpt=(curl -X POST \ http://{host}:{port}/auth/realms/springboot-uma/protocol/openid-connect/token \ -H "Authorization: Bearer {pat}"
–data “grant_type=urn:ietf:params:oauth:grant-type:uma-ticket”
–data “ticket={
“id”: “d016b9ee-c6e3-403a-b6b3-edbe7fd08ff4”,
“owner”: “71ad9804-cb58-48c1-a3cd-434a57fc78e4”,
“resource”: “3816b434-f5b4-41de-b372-ce502fd85e81”,
“scope”: “428f01b7-4d7d-4acd-9e33-f0e63959c33b”,
“granted”: true,
“requester”: “bad66fae-9ff4-4999-b87f-85b61d7f9362”
}”
–data “issuedFor=umaresourceserver”)

But after I send this request I receive the error:

{“error”:“invalid_request”,“error_description”:“Ticket verification failed”}

I do not have any idea about what to try next, what is wrong or missing. Can anyone spot something wrong and could help me with this?

Thank you in advance,
Ioana S.