[KEYCLOAK-11352] - Can't request permissions by name by a non-owner resource service, although the audience is set

services/src/main/java/org/keycloak/authorization/authorization/AuthorizationTokenService.java

@@ -459,7 +459,7 @@ public class AuthorizationTokenService {
                         requestedResources.add(ownerResource);
                     }
 
-                    if (!identity.isResourceServer()) {
+                    if (!identity.isResourceServer() || !identity.getId().equals(resourceServer.getId())) {
                         List<PermissionTicket> tickets = storeFactory.getPermissionTicketStore().findGranted(resourceName, identity.getId(), resourceServer.getId());
                         for (PermissionTicket permissionTicket : tickets) {
                             requestedResources.add(permissionTicket.getResource());

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/EntitlementAPITest.java

@@ -89,6 +89,7 @@ import org.keycloak.representations.idm.authorization.ScopeRepresentation;
 import org.keycloak.representations.idm.authorization.UserPolicyRepresentation;
 import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
 import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude.AuthServer;
+import org.keycloak.testsuite.admin.ApiUtil;
 import org.keycloak.testsuite.util.ClientBuilder;
 import org.keycloak.testsuite.util.OAuthClient;
 import org.keycloak.testsuite.util.RealmBuilder;
@@ -1985,6 +1986,58 @@ public class EntitlementAPITest extends AbstractAuthzTest {
         authzClient.authorization().authorize(request);
     }
 
+    @Test
+    public void testPermissionsAcrossResourceServers() throws Exception {
+        String rsAId;
+        try (Response response = getRealm().clients().create(ClientBuilder.create().clientId("rs-a").secret("secret").serviceAccount().authorizationServicesEnabled(true).build())) {
+            rsAId = ApiUtil.getCreatedId(response);
+        }
+        String rsBId;
+        try (Response response = getRealm().clients().create(ClientBuilder.create().clientId("rs-b").secret("secret").serviceAccount().authorizationServicesEnabled(true).build())) {
+            rsBId = ApiUtil.getCreatedId(response);
+        }
+        ClientResource rsB = getRealm().clients().get(rsBId);
+
+        rsB.authorization().resources().create(new ResourceRepresentation("Resource A"));
+
+        JSPolicyRepresentation grantPolicy = new JSPolicyRepresentation();
+
+        grantPolicy.setName("Grant Policy");
+        grantPolicy.setCode("$evaluation.grant();");
+
+        rsB.authorization().policies().js().create(grantPolicy);
+
+        ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
+
+        permission.setName("Resource A Permission");
+        permission.addResource("Resource A");
+        permission.addPolicy(grantPolicy.getName());
+
+        rsB.authorization().permissions().resource().create(permission);
+
+        AuthzClient authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
+        Configuration config = authzClient.getConfiguration();
+
+        config.setResource("rs-a");
+
+        authzClient = AuthzClient.create(config);
+        AccessTokenResponse accessTokenResponse = authzClient.obtainAccessToken();
+        AccessToken accessToken = toAccessToken(accessTokenResponse.getToken());
+
+        config.setResource("rs-b");
+
+        AuthorizationRequest request = new AuthorizationRequest();
+
+        request.addPermission("Resource A");
+
+        AuthorizationResponse response = authzClient.authorization(accessTokenResponse.getToken()).authorize(request);
+
+        assertNotNull(response.getToken());
+        Collection<Permission> permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
+        assertEquals(1, permissions.size());
+        assertEquals("Resource A", permissions.iterator().next().getResourceName());
+    }
+
     private void testRptRequestWithResourceName(String configFile) {
         Metadata metadata = new Metadata();