<div dir="ltr">Hi!<div><br><div>I found the problem. It was my mistake :-|</div></div><div><br></div><div>In the Keycloak OAuth Policy Configuration I forgot to set the property 'Forward Realm Roles?' to true...</div><div>I created a new version, changed the Policy configuration and now it's working as expected.</div><div><br></div><div>Thanks :-) </div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature">________________________<br>Rafael Torres Coelho Soares<br></div></div>
<br><div class="gmail_quote">On Tue, Aug 25, 2015 at 6:42 PM, Rafael Soares <span dir="ltr"><<a href="mailto:rafaelcba@gmail.com" target="_blank">rafaelcba@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hello all!<div><br></div><div>I'm trying to follow the tutorial for the oAuth2 plugin [1] but I had some issues.</div><div>The authentication policy worked fine! After adding the second policy (Authorization) I get the following response error</div><div><br></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div><font face="monospace, monospace">HTTP/1.1 500 Internal Server Error</font></div></div><div><div><font face="monospace, monospace">Connection: keep-alive</font></div></div><div><div><font face="monospace, monospace">Content-Length: 238</font></div></div><div><div><font face="monospace, monospace">Content-Type: application/json</font></div></div><div><div><font face="monospace, monospace">Date: Tue, 25 Aug 2015 21:12:31 GMT</font></div></div><div><div><font face="monospace, monospace">Server: WildFly/8</font></div></div><div><div><font face="monospace, monospace">X-Policy-Failure-Code: 10010</font></div></div><div><div><font face="monospace, monospace">X-Policy-Failure-Message: No roles have been extracted during authentication. Make sure the authorization policy comes *after* a compatible authentication policy in your configuration.</font></div></div><div><div><font face="monospace, monospace">X-Policy-Failure-Type: Other</font></div></div><div><div><font face="monospace, monospace">X-Powered-By: Undertow/1</font></div></div><div><div><font face="monospace, monospace"><br></font></div></div><div><div><font face="monospace, monospace">{</font></div></div><div><div><font face="monospace, monospace"> "failureCode": 10010,</font></div></div><div><div><font face="monospace, monospace"> "headers": {},</font></div></div><div><div><font face="monospace, monospace"> "message": <b>"No roles have been extracted during authentication. Make sure the authorization policy comes *after* a compatible authentication policy in your configuration.</b>",</font></div></div><div><div><font face="monospace, monospace"> "responseCode": 0,</font></div></div><div><div><font face="monospace, monospace"> "type": "Other"</font></div></div><div><div><font face="monospace, monospace">}</font></div></div></blockquote><div><br></div><div>but my JWT access_token appears to be right. I mean, I can see the roles in it. See my access_toke decoded:</div><div><br></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div>{</div></div><div><div> "preferred_username": "rincewind", </div></div><div><div> "name": "", </div></div><div><div> "resource_access": { </div></div><div><div> "account": { </div></div><div><div> "roles": [ </div></div><div><div> "manage-account", </div></div><div><div> "view-profile"</div></div><div><div> ] </div></div><div><div> } </div></div><div><div> }, </div></div><div><div> "<b>realm_access": { </b></div></div><div><div><b> "roles": [ </b></div></div><div><div><b> "echomeister"</b></div></div><div><div><b> ] </b></div></div><div><div><b> }</b>, </div></div><div><div> "allowed-origins": [], </div></div><div><div> "client_session": "b25536e6-4331-46fd-afe1-b0adf766b533", </div></div><div><div> "session_state": "213e75e1-bf8b-4f0c-808e-683fb3a4c1de", </div></div><div><div> "jti": "43c59d9a-b659-4708-a1da-968ea23004d7", </div></div><div><div> "exp": <a href="tel:1440536956" value="+551440536956" target="_blank">1440536956</a>, </div></div><div><div> "nbf": 0, </div></div><div><div> "iat": <a href="tel:1440536656" value="+551440536656" target="_blank">1440536656</a>, </div></div><div><div> "iss": "<a href="http://127.0.0.1:8080/auth/realms/stottie" target="_blank">http://127.0.0.1:8080/auth/realms/stottie</a>", </div></div><div><div> "aud": "apiman", </div></div><div><div> "sub": "de4af322-85b2-4dbe-8d53-6a2ee29e4080", </div></div><div><div> "azp": "apiman"</div></div><div><div>} </div></div></blockquote><div><br></div><div>As you can see the "<b>echomeister</b>" realm_role is there...</div><div><br></div><div>What this response message means?</div><div><br></div><div>[1] <a href="http://www.apiman.io/blog/gateway/security/oauth2/keycloak/authentication/authorization/2015/06/09/keycloak-oauth2.html" target="_blank">http://www.apiman.io/blog/gateway/security/oauth2/keycloak/authentication/authorization/2015/06/09/keycloak-oauth2.html</a><br clear="all"><div><div>________________________<br>Rafael Torres Coelho Soares<br></div></div>
</div></div>
</blockquote></div><br></div></div>