How to query keycloak resource permission with a token issued from a public client

Question

I have a Front End Javascript client that is protected by keycloak. The Keycloak client for the Front End App is of type Public and called blog_gui.

I also have an API that is protected by a Confidential client called 'blog_api', with Authorization Enabled.

When I make a request from my Front End App to the API, I send the JWT issued by keycloak from the public client (blog_gui) as a Bearer token in the header of the request.

In the API I want to check if the Front End App that sent the JWT has permission to a specific resource. So I send a request to the keycloak server at the following URL, including the JWT from the Front End App as a Bearer token

http://${host}:${post}/auth/realms/${realm}/authz/protection/uma-policy

The result I get back from keycloak is

{
    "error": "invalid_clientId",
    "error_description": "Client application [blog_gui] is not registered as a resource server."
}

Answer 1

In your scenario keycloak-js will query Keycloak for an access token with an audience/client blog_gui. This client is public, so it is not a registered resource server. You may want to execute a token exchange to obtain an access token for your backend client (blog_api) and use the obtained token to query the uma-policy endpoint. You can find additional info on how to query the endpoint in the Authorization Services docs over here.

Make sure that your blog_api client is confidential and has Authorization Enabled switched on. You may refer to this documentation on how to setup the client accordingly.