Keycloak 文档提出了两种创建许可票的方法:
curl -X POST http:// ${host}:${port}/realms/${realm_name}/authz/protection/permission \
-H 'Authorization: Bearer '$pat \
-H 'Content-Type: application/json' \
-d '[
{
"resource_id": "{resource_id}",
"resource_scopes": [
"view"
]
}
]'
和
curl -X POST \
http:// ${host}:${port}/realms/${realm_name}/authz/protection/permission/ticket \
-H 'Authorization: Bearer '$access_token \
-H 'Content-Type: application/json' \
-d '{
"resource": "{resource_id}",
"requester": "{user_id}",
"granted": true,
"scopeName": "view"
}'
第一个端点不影响 RESOURCE_SERVER_PERM_TICKET 表。换句话说,它不会创建任何许可票证。另外,它可以从获取权限票证端点推断出来。 (结果是[])
在第二个端点中,需要添加scopeName 或scope,而有些资源可以在不提及任何scope 的情况下创建。在这种情况下,调用创建权限 API 面临: "error_description": "created permissions should have scope or scopeName", and sending null scope encounters: "Scope[] is invalid".
对上面提到的2个问题有什么建议吗?