[Apiman-user] Help with ApiMan oAuth2 plugin tutorial

Rafael Soares rafaelcba at gmail.com
Tue Aug 25 21:14:42 EDT 2015 

Hi!

I found the problem. It was my mistake :-|

In the Keycloak OAuth Policy Configuration I forgot to set the property
'Forward Realm Roles?' to true...
I created a new version, changed the Policy configuration and now it's
working as expected.

Thanks :-)

________________________
Rafael Torres Coelho Soares

On Tue, Aug 25, 2015 at 6:42 PM, Rafael Soares <rafaelcba at gmail.com> wrote:

> Hello all!
>
> I'm trying to follow the tutorial for the oAuth2 plugin [1] but I had some
> issues.
> The authentication policy worked fine! After adding the second policy
> (Authorization) I get the following response error
>
> HTTP/1.1 500 Internal Server Error
> Connection: keep-alive
> Content-Length: 238
> Content-Type: application/json
> Date: Tue, 25 Aug 2015 21:12:31 GMT
> Server: WildFly/8
> X-Policy-Failure-Code: 10010
> X-Policy-Failure-Message: No roles have been extracted during
> authentication.  Make sure the authorization policy comes *after* a
> compatible authentication policy in your configuration.
> X-Policy-Failure-Type: Other
> X-Powered-By: Undertow/1
>
> {
>     "failureCode": 10010,
>     "headers": {},
>     "message": *"No roles have been extracted during authentication.
> Make sure the authorization policy comes *after* a compatible
> authentication policy in your configuration.*",
>     "responseCode": 0,
>     "type": "Other"
> }
>
>
> but my JWT access_token appears to be right. I mean, I can see the roles
> in it. See my access_toke decoded:
>
> {
>   "preferred_username": "rincewind",
>
>
>   "name": "",
>
>
>   "resource_access": {
>
>
>     "account": {
>
>
>       "roles": [
>
>
>         "manage-account",
>
>
>         "view-profile"
>       ]
>
>
>     }
>
>
>   },
>
>
>   "*realm_access": {
>
>           *
> *    "roles": [
>
>          *
> *      "echomeister"*
> *    ]
>
>         *
> *  }*,
>
>
>   "allowed-origins": [],
>
>
>   "client_session": "b25536e6-4331-46fd-afe1-b0adf766b533",
>
>
>   "session_state": "213e75e1-bf8b-4f0c-808e-683fb3a4c1de",
>
>
>   "jti": "43c59d9a-b659-4708-a1da-968ea23004d7",
>
>
>   "exp": 1440536956,
>
>
>   "nbf": 0,
>
>
>   "iat": 1440536656,
>
>
>   "iss": "http://127.0.0.1:8080/auth/realms/stottie",
>
>
>   "aud": "apiman",
>
>
>   "sub": "de4af322-85b2-4dbe-8d53-6a2ee29e4080",
>
>
>   "azp": "apiman"
> }
>
>
> As you can see the "*echomeister*" realm_role is there...
>
> What this response message means?
>
> [1]
> http://www.apiman.io/blog/gateway/security/oauth2/keycloak/authentication/authorization/2015/06/09/keycloak-oauth2.html
> ________________________
> Rafael Torres Coelho Soares
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/apiman-user/attachments/20150825/a63dfc8d/attachment-0001.html

More information about the Apiman-user mailing list