Keycloak is it possible acess resource server from public client

Question

I am very new to keycloak and I want to know is it possible to create public client then authorize client and get access token. Then use that access token and create UMA tickets to resource server and check if client has rights to access resoucrces using same authorization

I uses this turtorial https://gruchalski.com/posts/2020-09-05-introduction-to-keycloak-authorization-services/

And it worked if you reauthorized to resource server directly. But I want to use one authorisation to check rights to resources which could belong to different resource servers

I get access token using this code:

    export access_token=`curl --silent -u public-client:1 \
        -k -d "grant_type=password&username=${USER_NAME}&password=${USER_PASSWORD}&scope=email profile" \
        -H "Content-Type:application/x-www-form-urlencoded" \
        ${KEYCLOAK_TOKEN_URL} | jq '.access_token' -r`

Then I try to authorise same user to different client:

    curl --silent -X POST \
      ${KEYCLOAK_TOKEN_URL} \
      -H "Authorization: Bearer ${access_token}" \
      --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \
      --data "audience=resource-server-1"

But I get "Client does not support permissions" Maybe someone knows what I need to configure for this to work or even if this can work?

Answer 1

For what I've reading you need two clients. One public and the other confidential.
Then in your client configured as confidential set all your fine-grained authz then in your audience param you set the client id previously configured as confidential.