RootVO part of the provided scope is used for discovery, since the endpoint is always registered there and added check for its existance in the prvoider and its format. Also checked that all the mandatory parameters are not null.

src/main/java/org/gcube/common/keycloak/DefaultKeycloakClient.java

@@ -33,6 +33,17 @@ public class DefaultKeycloakClient implements KeycloakClient {
 
     @Override
     public URL findTokenEndpointURL() throws KeycloakClientException {
+        logger.debug("Checking ScopeProvider's scope presence and format");
+        String originalScope = ScopeProvider.instance.get();
+        if (originalScope == null || !originalScope.startsWith("/") || originalScope.length() < 2) {
+            throw new KeycloakClientException(originalScope == null ? "Scope not found in ScopeProvider"
+                    : "Bad scope name found: " + originalScope);
+        }
+        logger.debug("Assuring use the rootVO to query the endpoint simple query. Actual scope is: {}", originalScope);
+        String rootVOScope = "/" + originalScope.split("/")[1];
+        logger.debug("Setting rootVO scope into provider as: {}", rootVOScope);
+        ScopeProvider.instance.set(rootVOScope);
+
         logger.debug("Creating simple query");
         SimpleQuery query = queryFor(ServiceEndpoint.class);
         query.addCondition(
@@ -46,6 +57,9 @@ public class DefaultKeycloakClient implements KeycloakClient {
         logger.trace("Submitting query: {}", query);
         List<AccessPoint> accessPoints = client.submit(query);
 
+        logger.debug("Restting scope into provider to the original value: {}", originalScope);
+        ScopeProvider.instance.set(originalScope);
+
         if (accessPoints.size() == 0) {
             throw new KeycloakClientException("Service endpoint not found");
         } else if (accessPoints.size() > 1) {
@@ -66,6 +80,7 @@ public class DefaultKeycloakClient implements KeycloakClient {
 
         return queryUMAToken(clientId, clientSecret, ScopeProvider.instance.get(), permissions);
     }
+
     @Override
     public TokenResponse queryUMAToken(String clientId, String clientSecret, String audience,
             List<String> permissions) throws KeycloakClientException {
@@ -86,6 +101,18 @@ public class DefaultKeycloakClient implements KeycloakClient {
     public TokenResponse queryUMAToken(URL tokenURL, String authorization, String audience,
             List<String> permissions) throws KeycloakClientException {
 
+        if (tokenURL == null) {
+            throw new KeycloakClientException("'tokenURL' parameter must be not null");
+        }
+
+        if (authorization == null || "".equals(authorization)) {
+            throw new KeycloakClientException("'authorization' parameter must be not null nor empty");
+        }
+
+        if (audience == null || "".equals(audience)) {
+            throw new KeycloakClientException("'audience' parameter must be not null nor empty");
+        }
+
         logger.debug("Querying token from Keycloak server with URL: {}", tokenURL);
 
         Map<String, List<String>> params = new HashMap<>();