[keycloak-user] Bearer Only Application access with token

Rodrigo Sasaki rodrigopsasaki at gmail.com
Wed Aug 6 09:58:43 EDT 2014 

Is there any news on this? I tried it on beta-4 on wildfly and I still get
the same response.


On Tue, Jul 29, 2014 at 5:56 PM, Rodrigo Sasaki <rodrigopsasaki at gmail.com>
wrote:

> I made sure of all that, I just recreated everything using realm roles
> just for the sake of completeness, but I'm still getting a 403
>
>
> On Tue, Jul 29, 2014 at 4:09 PM, Vivek Srivastav (vivsriva) <
> vivsriva at cisco.com> wrote:
>
>>  Make sure you have the following settings configured for your database
>> service:
>>
>>
>>
>>
>>
>>  In the web.xml, make sure you have the security setup with the
>> appropriate user role:
>>  <?xml version="1.0" encoding="UTF-8"?>
>> <web-app xmlns="http://java.sun.com/xml/ns/javaee"
>>       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>       xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
>> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
>>       version="3.0">
>>
>>  <module-name>database</module-name>
>>      <security-constraint>
>>         <web-resource-collection>
>>             <url-pattern>/*</url-pattern>
>>         </web-resource-collection>
>> <!--        <user-data-constraint>
>>             <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>>         </user-data-constraint>  -->
>>         <auth-constraint>
>>             <role-name>user</role-name>
>>         </auth-constraint>
>>     </security-constraint>
>>
>>      <login-config>
>>         <auth-method>KEYCLOAK</auth-method>
>>         <realm-name>demo</realm-name>
>>     </login-config>
>>
>>      <security-role>
>>         <role-name>user</role-name>
>>     </security-role>
>> </web-app>
>>
>>
>>
>>   From: Rodrigo Sasaki <rodrigopsasaki at gmail.com>
>> Date: Tuesday, July 29, 2014 at 12:51 PM
>> To: Bill Burke <bburke at redhat.com>
>> Cc: "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
>> Subject: Re: [keycloak-user] Bearer Only Application access with token
>>
>>   It is defined under the application itself, so I it's under the scope.
>> This should be working right?
>>
>>
>> On Tue, Jul 29, 2014 at 11:59 AM, Bill Burke <bburke at redhat.com> wrote:
>>
>>> What kind of role is it?  Is the new role defined under the
>>> "database-service" application?  If not, then you must add this role to
>>> the "database-service"'s scope in the admin console.
>>>
>>> On 7/29/2014 10:51 AM, Rodrigo Sasaki wrote:
>>> > Hi,
>>> >
>>> > I'm trying to secure a bearer-only application with keycloak, to access
>>> > it with access tokens, but I think I'm missing something.
>>> >
>>> > I tried it with the database-service of the unconfigured demo.
>>> >
>>> > 1. I created the user role in the application.
>>> > 2. I assigned that role to my user
>>> > 3. I copied the contents of the installation json to
>>>  > *webapp/META-INF/keycloak.json*
>>> >
>>> > {
>>> >      "realm": "demo",
>>> >      "realm-public-key":
>>> >
>>> "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCwRayjzh7W+EfPaeSdyXWLyXof7c3fwD7vb0AEtG+ogLHtMkYiTdX9y/JXOmXwWDzGhx7NM3Q6vkCG0F3lZqOVsSlYH56c5+Ev4QmSGK/+6e+WcZMcgmscoz1OoXKom4+pzqMey42hqdwwMhkvCq/jxJSmUGnZJQuqEKVH00NZ1wIDAQAB",
>>> >      "bearer-only": true,
>>> >      "ssl-not-required": true,
>>> >      "resource": "database-service",
>>> >      "use-resource-role-mappings": true
>>> > }
>>> >
>>>  > 4. Set the auth-method to *KEYCLOAK* on web.xml
>>> > 5. Started the server deploying the *database-service*
>>> > 6. Generated a token using *security-admin-console* client_id and my
>>> user
>>> > 7. Submitted a GET request to /localhost:8080/database/customers/
>>> >
>>> > After these steps I get a 403 error, saying that I'm not authorized to
>>> > access the resource, wasn't this supposed to work?
>>> >
>>> > --
>>> > Rodrigo Sasaki
>>> >
>>> >
>>>  > _______________________________________________
>>> > keycloak-user mailing list
>>> > keycloak-user at lists.jboss.org
>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> >
>>>
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>> http://bill.burkecentral.com
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>>
>>  --
>> Rodrigo Sasaki
>>
>
>
>
> --
> Rodrigo Sasaki
>



-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140806/adcb9e8a/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 7FB161C8-9169-498E-BE38-35D4735A9146.png
Type: image/png
Size: 26058 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20140806/adcb9e8a/attachment-0002.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: F53847FE-4703-4AB3-9C06-790DC32B5A75.png
Type: image/png
Size: 15533 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20140806/adcb9e8a/attachment-0003.png

More information about the keycloak-user mailing list