Keycloak Authorization Services - retrieving the decision only

Posted on
keycloak iam uma

In Introduction to Keycloak Authorization Services 1, I have described how to use the Authorization Services to find out if the user has access to certain resources.

I have done so by asking Keycloak to issue an access token with a special grant_type with the value of urn:ietf:params:oauth:grant-type:uma-ticket which returned a list of permissions the has access to.

The request looked like this:

curl --silent -X POST \
  ${KEYCLOAK_TOKEN_URL} \
  -H "Authorization: Bearer ${access_token}" \
  --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \
  --data "audience=customers" \
  --data "permission=CustomerB#customer-b" | jq '.'

where the ${access_token} was the result of

export access_token=`curl --silent -u customers:${KEYCLOAK_CLIENT_SECRET} \
    -k -d "grant_type=password&username=member@service-team&password=${USER_PASSWORD}&scope=email profile" \
    -H "Content-Type:application/x-www-form-urlencoded" \
    ${KEYCLOAK_TOKEN_URL} | jq '.access_token' -r`

The response I was looking for looked like:

{
  "upgraded": false,
  "access_token": "eyJhbGciOiJSUzI1NiIsI...n8AC51T1AMwDtoqfCEXrdwcrQ",
  "expires_in": 300,
  "refresh_expires_in": 1800,
  "refresh_token": "eyJhbGciOiJIUz...RG3zFus",
  "token_type": "Bearer",
  "not-before-policy": 0
}

However, since I was only interested in the confirmation if the user has access to certain resources, I could have used an additional parameter to the grant_type=urn:ietf:params:oauth:grant-type:uma-ticket call:

--data "response_mode=decision"

With this parameter, the call to retrieve the decision would look like:

curl --silent -X POST \
  ${KEYCLOAK_TOKEN_URL} \
  -H "Authorization: Bearer ${access_token}" \
  --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \
  --data "audience=customers" \
  --data "response_mode=decision" \
  --data "permission=CustomerB#customer-b" | jq '.'

In case of the user having access, Keycloak would return:

{
  "result": true
}

Otherwise, the response would be:

{
  "error": "access_denied",
  "error_description": "not_authorized"
}

  1. Introduction to Keycloak Authorization Services ↩︎