Keycloak user authorization openid-protocol Rest API

Question

i am new to keycloak. I have made web portal that authentication (login, logout,forgot password) of users is done in backend ( PHP ) using REST Api. After successful authentication user is allowed to enter secure part of portal. I am having trouble to get REST API endpoint so that when user is logged in i would like to get a list of permissions that this user have so i can render the UI with functions that specific user have permissions to. So far i found endpoint which can ask for specific permission only

curl -X POST   http://$URL/auth/realms/argo/protocol/openid-connect/token  -H "Authorization: Bearer $TOKEN" --data "audience=$CLIENTID"  --data "permission=$PERMISSIONNAME#$PERMISSIONSCOPE"

Is this possible with keycloak ? I would have maybe around 10 navigation functions and some will be payable so once user buys this function we will allow this permission to this specific user.

Thanks

Answer 1

I spent a lot of time to make it work. Basically, once the user is logged in (via a JWT access token) your app has to issue an additional call to an OIDC endpoint, in order to get an extended JWT token (including fine grained permissions).

Here are the details of this extra call:

POST http://server:port/auth/realms/<realm>/protocol/openid-connect/token

Content-Type: application/x-www-form-urlencoded

Authorization: "Bearer ....." (=access token of logged-in user)

Parameters:
- grant_type: the constant "urn:ietf:params:oauth:grant-type:uma-ticket"
- audience : the keycloak client id
- response_include_resource_name: true

You will get in response a JWT token that should be decoded

• either programatically (quite easy)
• or by invoking Keycloak token introspection endpoint (ie /auth/realms//protocol/openid-connect/token/introspect

And, once decoded, you will notice that the json payload contains an extra "authorization" node.