I tried using the keycloak protection api and UMA trying to add a resource to a client like in the webinterface. My problem with the webinterface is, that i can't find a way to set the owner of a resource to an user. Whenever i try to send a request to http://IP:PORT/auth/realms/REALM_NAME/authz/protection/resource_set with the body
{
"name":"test",
"type":"http://www.someurl.com/api",
"icon_uri":"http://www.someurl.com/etc",
"resource_scopes":[
"read"
]
}
and an access token with the scopes openid, uma_authorization, uma_protection and email (with the roles uma_authorization and uma_protection) the keycloak server responds with
{
"error": "invalid_scope",
"error_description": "Requires uma_protection scope."
}
I tried everything, from granting the scope to my test user account to mapping it over a role.. Does someone maybe know how to add resources with an owner to a client via the API?
You may use this api
https://{HOST}/auth/realms/master/authz/protection/resource_set
Body:
{
"owner":"ken", // your user (you should have user in db before creating recource)
"name":"ken_new_tp4:resource",
"ownerManagedAccess": true,
"resource_scopes":[
"edit",
"create",
"view"
]
}
But you should use the auth token with have privileges to access UMA.
You may use an admin token to create or Make the client (confidential (from UI Panel, and login with client_id and secret)
I use admin api
POST https://{HOST}/auth/realms/master/protocol/openid-connect/token
{
client_id:admin-cli
scope:openid email
username:user
password:password
client_secret:{SECRET_OF_CLIENT_ADMIN_CLI},
grant_type:password
audience:security-admin-console
}
Let me know if it solves your problem