Keycloak include permission into the access token along with the roles

Question

I have been working on setting up authorization using keycloak, and have set up specific roles and permissions based on resources and but the JWT access token contains only the details about the roles and not the permission assigned to the user.

I want the access token to include permission details and have tried the methods on Keycloak documentation: 1) Using permission ticket cannot generate the ticket using

http://${host}:${port}/auth/realms/${realm_name}/authz/protection/permission

it shows:

{
    "error": "invalid_bearer_token",
    "error_description": "Could not obtain bearer access_token from request."
}

and thus cannot generate the RPT and get details of the permissions.

Also tried using the entitlement API.

2) Using entitlement API:

 curl -X GET \
     -H "Authorization: Bearer ${access_token}" \
     "http://localhost:8080/auth/realms/hello-world-authz/authz/entitlement/${resource_server_id}"

I tried using postman and it shows 404 Not Found..

Can anyone show me the correct procedure to include the permission in the access token or generate the RPT correctly.

Answer 1

Keycloak provides a discovering document for Authorization Services. You can obtain from following url.

curl -X GET http://localhost:8080/auth/realms/{realm}/.well-known/uma2-configuration -H "Authorization: Bearer ${access_token}"

here localhost and 8080 are for keycloak host and port

error says token you are using is not valid for the client.

I was able to get RPT using below command

curl -X POST   http://localhost:8080/auth/realms/${realm}/protocol/openid-connect/token  -H "Authorization: Bearer ${access_token}" --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" --data "audience={resource_server_client_id}"  --data "permission=Resource#Scope"

Keycloak responds to the client with the RPT