Looking at the Keycloak documentation i’m trying to find out how a Policy Enforcement Point (PEP) can validation a RPT token, specifically the scopes for the target call. What APIs are called to achieve this or does the adapter code use the keycloak.json directly and compares.
I know the introspection API will tell me if a RPT is valid/active or not. But that doesn’t seem to confirm if the scopes in the RPT are appropriate for the target resource. i.e. the resource will end up reject it as unauthorised (assuming a second layer of authorisation checks).
Any documentation, sequence , that should the calls/configuration look ups? Or a pointer to code lines?
Hopefully answering my own question, walking the code.
Looks like the policy enforcer in the OIDC adapter classes eventually calls the resource_set endpoint for the target URI. From that the scopes and permissions are compared against the RPT values and a grant or deny determination made.