[keycloak-user] Is it possible to use a non Keycloak client to call a Keycloak secured Rest services?

Tue Jul 15 15:48:28 EDT 2014

Please elaborate on your code to obtain a token.  Your client (not user) 
may not have the scope you need and the token may not be getting set 
with the desired role mappings.

On 7/15/2014 3:15 PM, Christina Lau wrote:
> Hi Bill, further to last comment, i.e. although I can get the token,
> when I use it to call the same Rest service, I am getting 403 instead.
>
> I don’t know if this helps or not, but I have also noticed that the
> console produced different output:
>
> *Using non-keycloak client (Did not work - get 403)*
>
> 15:05:28,228 INFO  [org.keycloak.services.resources.TokenService]
> (default task-1) no authorization header
> 15:05:28,345 INFO  [org.keycloak.audit] (default task-1) event=LOGIN,
> realmId=ab9527ff-1dbe-4ce1-934c-ee2e1057d8b7, clientId=admin-client,
> userId=58cfb6e9-9ff8-45a8-98bb-3a26b341b783, ipAddress=127.0.0.1,
> username=roger at mailinator.com <mailto:username=roger at mailinator.com>,
> response_type=token, auth_method=oauth_credentials,
> refresh_token_id=3730424f-a718-4be8-a9fc-a090e5932564,
> token_id=dd1bfeaa-54b1-4824-a6fe-d14eb1ae6f97
> 15:05:28,547 INFO  [org.keycloak.adapters.RequestAuthenticator] (default
> task-2) --> authenticate()
> 15:05:28,548 INFO  [org.keycloak.adapters.RequestAuthenticator] (default
> task-2) try bearer
> 15:05:28,566 INFO
>   [org.keycloak.adapters.RefreshableKeycloakSecurityContext] (default
> task-2) checking whether to refresh.
> 15:05:28,566 INFO
>   [org.keycloak.adapters.undertow.KeycloakUndertowAccount] (default
> task-2) use realm role mappings
> 15:05:28,571 INFO
>   [org.keycloak.adapters.wildfly.WildflyRequestAuthenticator] (default
> task-2) propagate security context to wildfly
> 15:05:28,571 INFO  [org.keycloak.adapters.RequestAuthenticator] (default
> task-2) Bearer AUTHENTICATED
>
>
> *Using keycloak app (similar to customer-cli sample) Work*
>
> 15:06:30,254 INFO  [org.keycloak.services.resources.TokenService]
> (default task-1) createLogin() now...
> 15:06:39,965 INFO  [org.keycloak.audit] (default task-2) event=LOGIN,
> realmId=ab9527ff-1dbe-4ce1-934c-ee2e1057d8b7, clientId=hellokeycloak,
> userId=58cfb6e9-9ff8-45a8-98bb-3a26b341b783, ipAddress=127.0.0.1,
> username=roger at mailinator.com <mailto:username=roger at mailinator.com>,
> response_type=code, redirect_uri=http://localhost:59999,
> auth_method=form, code_id=bd10d4cc-9f99-42df-b984-b92093f5a6af1405451199946
> 15:06:39,966 INFO
>   [org.keycloak.services.managers.AuthenticationManager] (default
> task-2) createLoginCookie
> 15:06:39,966 INFO
>   [org.keycloak.services.managers.AuthenticationManager] (default
> task-2) createIdentityToken
> 15:06:40,092 INFO  [org.keycloak.services.resources.TokenService]
> (default task-3) no authorization header
> 15:06:40,119 INFO  [org.keycloak.audit] (default task-3)
> event=CODE_TO_TOKEN, realmId=ab9527ff-1dbe-4ce1-934c-ee2e1057d8b7,
> clientId=hellokeycloak, userId=58cfb6e9-9ff8-45a8-98bb-3a26b341b783,
> ipAddress=127.0.0.1,
> refresh_token_id=476b2f86-3df4-4cf6-8d51-55aa70264346,
> code_id=bd10d4cc-9f99-42df-b984-b92093f5a6af1405451199946,
> token_id=be0358ab-2c28-4bdc-a95c-681b63095217
> 15:06:46,567 INFO  [org.keycloak.adapters.RequestAuthenticator] (default
> task-4) --> authenticate()
> 15:06:46,568 INFO  [org.keycloak.adapters.RequestAuthenticator] (default
> task-4) try bearer
> 15:06:46,584 INFO
>   [org.keycloak.adapters.RefreshableKeycloakSecurityContext] (default
> task-4) checking whether to refresh.
> 15:06:46,584 INFO
>   [org.keycloak.adapters.undertow.KeycloakUndertowAccount] (default
> task-4) use realm role mappings
> 15:06:46,589 INFO
>   [org.keycloak.adapters.wildfly.WildflyRequestAuthenticator] (default
> task-4) propagate security context to wildfly
> 15:06:46,590 INFO  [org.keycloak.adapters.RequestAuthenticator] (default
> task-4) Bearer AUTHENTICATED
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com