I'm trying to get RPT without permission ticket only using resource names. While this method works when working with policies, it doesn't seem to work with users sharing their resources through account page (returns access denied). For some reason when user A shares a resource with user B, user B can get RPT for this resource only if he:
a) Requests all his permissions
or
b) Requests specific permissions by id (not name)
Is this intended behaviour? If so how can i overcome this problem and still use only resource names?
Getting RPT by resource name (doesn't work with sharing):
curl "$PROTOCOL://$HOST:$PORT/auth/realms/$REALM/protocol/openid-connect/token" \
-H "Authorization: Bearer $ACCESS_TOKEN" \
--data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&permission=$RESOURCE_NAME&audience=$RESOURCE_CLIENT_ID"
Getting RPT by resource id (works with sharing):
curl "$PROTOCOL://$HOST:$PORT/auth/realms/$REALM/protocol/openid-connect/token" \
-H "Authorization: Bearer $ACCESS_TOKEN" \
--data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&permission=$RESOURCE_ID&audience=$RESOURCE_CLIENT_ID"
Getting RPT for all resources (works with sharing):
curl "$PROTOCOL://$HOST:$PORT/auth/realms/$REALM/protocol/openid-connect/token" \
-H "Authorization: Bearer $ACCESS_TOKEN" \
--data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=$RESOURCE_CLIENT_ID"
This issue is fixed in version 6.0