How to get Requesting Party Token (RPT) by API in Keycloak?

Question

I am to struggling to find it but I can't find a solution. Does anyone help me?

Here is my try. #1 First find PAT (Protection API Token)

#2 get the permission ticket list

#3 try get RPT but got "Ticket verification failed" error.

#4 This source code for this error but I am not familiar with the source.

    private PermissionTicketToken verifyPermissionTicket(KeycloakAuthorizationRequest request) {
        String ticketString = request.getTicket();

        PermissionTicketToken ticket = request.getKeycloakSession().tokens().decode(ticketString, PermissionTicketToken.class);
        if (ticket == null) {
            throw new CorsErrorResponseException(request.getCors(), "invalid_ticket", "Ticket verification failed", Status.FORBIDDEN);
        }

It copy from source file(AuthorizationTokenService.java) on line 670.

https://www.keycloak.org/docs/latest/authorization_services/#_service_overview

Answer 1

I spent a lot of time trying to get the RPT and i finally found a solution.

So first you have to get a normal token with the grant_type password :

Then you ask for the party token with the access_token you received, this time your grant_type will be "urn:ietf:params:oauth:grant-type:uma-ticket"

NOTE: here the audience property is the client_id

Answer 2

That's quite an advanced / emerging standard you are looking at. User Managed Access is related to User A granting resource access to other users based on verifiable preconditions.

Is that really what you are trying to do? If you can explain your scenario / requirements - eg what components there are - we may be able to suggest a simpler / alternative solution .