79566139

Date: 2025-04-10 08:44:34
Score: 1
Natty:
Report link

The filter is not the responsible ! It was a Keycloak configuration issue.

The Keycloak behavior

When you give the uma_protection role of a client to a user, the roles client scope automatically adds the client to the audience of access token through the audience resolve mapper.

My bad

To test the authorization I was removing the uma_protection role of the client from the user. Thus, the client was not added to the audience of the access token anymore.

The solution

The goal is to add the client to the audience of the access token.

Don't know if other options are available, but the one that we chose is to create a client scope with a token mapper of type Audience having the client included :

The Keycloak form for creating a client scope The Keycloak form for creating a mapper

We then add this scope to each client that needs an access token allowed to request the first one:

The Keycloak client scope tab of a client page

Reasons:
  • Probably link only (1):
  • Long answer (-0.5):
  • Has code block (-0.5):
  • Self-answer (0.5):
  • Low reputation (0.5):
Posted by: Calcimicium