Keycloak check permissions via Authzclient

Question

i'm trying to check user permissions from a keycloak server via the keycloak authzclient. But failing constantly, by now i'm not sure if i have some misconceptions about the process.

AuthzClient authzClient = AuthzClient.create();
String eat = authzClient.obtainAccessToken("tim", "test123").getToken();

AuthorizationResource resource = authzClient.authorization(eat);

PermissionRequest request = new PermissionRequest();
request.setResourceSetName("testresource");

String ticket = authzClient.protection().permission().forResource(request).getTicket();
AuthorizationResponse authResponse = resource.authorize(new AuthorizationRequest(ticket));

System.out.println(authResponse.getRpt());

The last call authResponse.getRpt() fails with a 403 forbidden. But the following settings in the admin console evaluates to Permit?

keycloak evaluation setting

The Client config is:

{
  "realm": "testrealm",
  "auth-server-url": "http://localhost:8080/auth",
  "ssl-required": "external",
  "resource": "tv",
  "credentials": {
    "secret": "d0c436f7-ed19-483f-ac84-e3b73b6354f0"
  },
  "use-resource-role-mappings": true
}

The following code:

AuthzClient authzClient = AuthzClient.create();
String eat = authzClient.obtainAccessToken("tim", "test123").getToken();

EntitlementResponse response = authzClient.entitlement(eat).getAll("tv");
String rpt = response.getRpt();

TokenIntrospectionResponse requestingPartyToken = authzClient.protection().introspectRequestingPartyToken(rpt);
    if (requestingPartyToken.getActive()) {
        for (Permission granted : requestingPartyToken.getPermissions()) {

            System.out.println(granted.getResourceSetId()+" "+granted.getResourceSetName()+" "+granted.getScopes());
        }
    }

Just gives me the "default resource"

7d0f10d6-6f65-4866-816b-3dc5772fc465 Default Resource []

But even when i put this Default Resource in the first code snippet

...
PermissionRequest request = new PermissionRequest();
request.setResourceSetName("Default Resource");
... 

it fives me a 403 . Where am I wrong?

Kind regards

Keycloak Server is 3.2.1.Final. keycloak-authz-client is 3.2.0.Final.

Answer 1

Minutes after posting found the problem. Sorry. I had to perform an EntitlementRequest.

AuthzClient authzClient = AuthzClient.create();
String eat = authzClient.obtainAccessToken("tim", "test123").getToken();

PermissionRequest request = new PermissionRequest();
request.setResourceSetName("testresource");

EntitlementRequest entitlementRequest = new EntitlementRequest();
entitlementRequest.addPermission(request);

EntitlementResponse entitlementResponse = authzClient.entitlement(eat).get("tv", entitlementRequest);
String rpt = entitlementResponse.getRpt();

TokenIntrospectionResponse requestingPartyToken = authzClient.protection().introspectRequestingPartyToken(rpt);
if (requestingPartyToken.getActive()) {
    for (Permission granted : requestingPartyToken.getPermissions()) {
        System.out.println(granted.getResourceSetId()+" "+granted.getResourceSetName()+" "+granted.getScopes());
    }
}

ouputs: 27b3d014-b75a-4f52-a97f-dd01b923d2ef testresource []

Kind regards