Error "Invalid bearer token" / type=PERMISSION_TOKEN_ERROR

[Huy Banh]

Hi all,

- I have 2 tokens, one via the JavaScript adapter and the other by java adapter. They are pretty much the same through jwt.io (same aud, azp...). I think the only different is the JavaScript token has "scope": "openid profile email", while the java token has "scope": "profile email" (without openid)

- JavaScript token obtained by:

   const keycloak = new Keycloak(

        {url: 'http://keycloak-server$', realm: 'myrealm', clientId: 'frontend-app' });

   keycloak.init({ onLoad: 'login-required' })

   //and get token from the property "token" of keycloak object.

- Java token obtained by:

        credentials = new HashMap<>();
        credentials.put("secret", ""); //empty secret (this is a public frontend client)
        config = new Configuration(url, realmName, "frontend-app", credentials, null);
        authzClient = AuthzClient.create(config);

        token = authzClient.obtainAccessToken("username", "1234").getToken();

- Two token is used by server code, which is with the Java adapter:

        credentials = new HashMap<>();
        credentials.put("secret", "xxx"); //confidential backend-app client
        config = new Configuration(url, realmName, "backend-app", credentials, null);
        authzClient = AuthzClient.create(config);

        request = new AuthorizationRequest();
        request.addPermission("resourceid", {});

        authzClient.authorization(token).authorize(request);

- Two different results:

+ With token obtained by Java adapter: permission allowed

+ With token obtained by JavaScript adapter: 

   * Got response: "error":"invalid_grant","error_description":"Invalid bearer token"}, 

   * And in KeyCloak log: type=PERMISSION_TOKEN_ERROR, realmId=xxx, clientId=xxx, userId=null, ipAddress=192.168.120.196, error=invalid_token, auth_method=oauth_credentials, grant_type=urn:ietf:params:oauth:grant-type:uma-ticket

I need to fix the Javascript client to work. Any help, please?

Thank you,

Huy Banh.