diff --git a/services/src/main/java/org/keycloak/authorization/authorization/AuthorizationTokenService.java b/services/src/main/java/org/keycloak/authorization/authorization/AuthorizationTokenService.java
index 3b9b3de..751197b 100644
--- a/services/src/main/java/org/keycloak/authorization/authorization/AuthorizationTokenService.java
+++ b/services/src/main/java/org/keycloak/authorization/authorization/AuthorizationTokenService.java
@@ -385,7 +385,7 @@ public class AuthorizationTokenService {
}
}
} else {
- List<Resource> resources = resourceStore.findByScope(new ArrayList<>(requestedScopes), resourceServer.getId());
+ List<Resource> resources = resourceStore.findByScope(requestedScopesModel.stream().map(Scope::getId).collect(Collectors.toList()), resourceServer.getId());
for (Resource resource : resources) {
permissionsToEvaluate.put(resource.getId(), Permissions.createResourcePermissions(resource, requestedScopes, authorization, request));
diff --git a/services/src/main/java/org/keycloak/authorization/util/Permissions.java b/services/src/main/java/org/keycloak/authorization/util/Permissions.java
index 32219dd..903623b 100644
--- a/services/src/main/java/org/keycloak/authorization/util/Permissions.java
+++ b/services/src/main/java/org/keycloak/authorization/util/Permissions.java
@@ -191,7 +191,7 @@ public final class Permissions {
// Later they will be filtered based on any denied scope, if any.
// TODO: we could probably provide a configuration option to let users decide whether or not a resource-based permission should grant all scopes associated with the resource.
grantedScopes.addAll(permission.getScopes());
- } if (resource.isOwnerManagedAccess() && "uma".equals(policy.getType())) {
+ } if (resource != null && resource.isOwnerManagedAccess() && "uma".equals(policy.getType())) {
userManagedPermissions.add(policyResult);
}
deniedCount--;
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/EntitlementAPITest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/EntitlementAPITest.java
index 60bc6f8..9325550 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/EntitlementAPITest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/EntitlementAPITest.java
@@ -41,6 +41,7 @@ import org.keycloak.authorization.client.AuthzClient;
import org.keycloak.authorization.client.Configuration;
import org.keycloak.authorization.client.util.HttpResponseException;
import org.keycloak.common.util.Base64Url;
+import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.AccessToken.Authorization;
import org.keycloak.representations.idm.RealmRepresentation;
@@ -54,6 +55,7 @@ import org.keycloak.representations.idm.authorization.PermissionResponse;
import org.keycloak.representations.idm.authorization.PermissionTicketRepresentation;
import org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation;
import org.keycloak.representations.idm.authorization.ResourceRepresentation;
+import org.keycloak.representations.idm.authorization.ScopePermissionRepresentation;
import org.keycloak.testsuite.util.ClientBuilder;
import org.keycloak.testsuite.util.OAuthClient;
import org.keycloak.testsuite.util.RealmBuilder;
@@ -242,25 +244,6 @@ public class EntitlementAPITest extends AbstractAuthzTest {
assertResponse(new Metadata(), () -> getAuthzClient(AUTHZ_CLIENT_CONFIG).authorization(response.getAccessToken()).authorize(request));
}
- public void testRptRequestWithResourceName(String configFile) {
- Metadata metadata = new Metadata();
-
- metadata.setIncludeResourceName(true);
-
- assertResponse(metadata, () -> getAuthzClient(configFile).authorization("marta", "password").authorize());
-
- AuthorizationRequest request = new AuthorizationRequest();
-
- request.setMetadata(metadata);
- request.addPermission("Resource 13");
-
- assertResponse(metadata, () -> getAuthzClient(configFile).authorization("marta", "password").authorize(request));
-
- request.setMetadata(null);
-
- assertResponse(metadata, () -> getAuthzClient(configFile).authorization("marta", "password").authorize(request));
- }
-
@Test
public void testPermissionLimit() {
testPermissionLimit(AUTHZ_CLIENT_CONFIG);
@@ -498,7 +481,64 @@ public class EntitlementAPITest extends AbstractAuthzTest {
assertFalse(hasPermission("kolo", "password", resource.getId(), "Scope A"));
}
- public void testResourceServerAsAudience(String testClientId, String resourceServerClientId, String configFile) throws Exception {
+ @Test
+ public void testObtainAllEntitlementsInvalidResource() throws Exception {
+ ClientResource client = getClient(getRealm(), RESOURCE_SERVER_TEST);
+ AuthorizationResource authorization = client.authorization();
+
+ JSPolicyRepresentation policy = new JSPolicyRepresentation();
+
+ policy.setName(KeycloakModelUtils.generateId());
+ policy.setCode("$evaluation.grant();");
+
+ authorization.policies().js().create(policy).close();
+
+ ResourceRepresentation resource = new ResourceRepresentation();
+
+ resource.setName("Sensors");
+ resource.addScope("sensors:view", "sensors:update", "sensors:delete");
+
+ resource = authorization.resources().create(resource).readEntity(ResourceRepresentation.class);
+
+ ScopePermissionRepresentation permission = new ScopePermissionRepresentation();
+
+ permission.setName("View Sensor");
+ permission.addScope("sensors:view");
+ permission.addPolicy(policy.getName());
+
+ authorization.permissions().scope().create(permission);
+
+ String accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "kolo", "password").getAccessToken();
+ AuthzClient authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
+ AuthorizationRequest request = new AuthorizationRequest();
+
+ request.addPermission("Sensortest", "sensors:view");
+
+ AuthorizationResponse response = authzClient.authorization(accessToken).authorize(request);
+
+ assertNotNull(response);
+ }
+
+ private void testRptRequestWithResourceName(String configFile) {
+ Metadata metadata = new Metadata();
+
+ metadata.setIncludeResourceName(true);
+
+ assertResponse(metadata, () -> getAuthzClient(configFile).authorization("marta", "password").authorize());
+
+ AuthorizationRequest request = new AuthorizationRequest();
+
+ request.setMetadata(metadata);
+ request.addPermission("Resource 13");
+
+ assertResponse(metadata, () -> getAuthzClient(configFile).authorization("marta", "password").authorize(request));
+
+ request.setMetadata(null);
+
+ assertResponse(metadata, () -> getAuthzClient(configFile).authorization("marta", "password").authorize(request));
+ }
+
+ private void testResourceServerAsAudience(String testClientId, String resourceServerClientId, String configFile) throws Exception {
AuthorizationRequest request = new AuthorizationRequest();
request.addPermission("Resource 1");
