[keycloak-user] 1.0.1 Problems & Questions

Mon Sep 22 04:29:28 EDT 2014

Thanks for this very informative answer.

I will stick with the application being confidential as you have explained that this is more correct.

However, WRT roles. 

I have a realm role defined as ‘user’
The client Has this role as an ‘Effective role’ in the admin screens. Full scope allowed is off, and there are no application roles assigned (nor are they available)
I have the following in my web.xml

<security-constraint>
    <web-resource-collection>
        <web-resource-name>shift</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>user</role-name>
    </auth-constraint>
</security-constraint>
and

<login-config>
    <auth-method>KEYCLOAK</auth-method>
    <realm-name>shift</realm-name>
</login-config>

<security-role>
    <role-name>user</role-name>
</security-role>
Is this correct? Have I missed something.

BTW Thanks for the help and thanks for Keycloak - It really is awesome!

Conrad

> On 22 Sep 2014, at 09:05, Stian Thorgersen <stian at redhat.com> wrote:
> 
> 
> 
> ----- Original Message -----
>> From: "Conrad Winchester" <conrad at mindless.com <mailto:conrad at mindless.com>>
>> To: keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>> Sent: Monday, 22 September, 2014 8:45:11 AM
>> Subject: [keycloak-user] 1.0.1 Problems & Questions
>> 
>> Hi all,
>> 
>> I have just upgrade from 1.0-beta 3 to 1.0.1 final and am running into some
>> serious issues.
>> 
>> First a question: when will keycloak-core 1.0.1 be available from maven
>> central? I am having to use 1.0-final in my war - is that compatible with
>> 1.0.1 keycloak war - which is running on my server.
> 
> Should have been there by now (it should be synced within 24h of a release), I've contacted the guys in charge to figure out what's going on. In the mean time you could add JBoss Nexus (https://developer.jboss.org/wiki/MavenRepository <https://developer.jboss.org/wiki/MavenRepository>) and get it from there.
> 
>> 
>> I upgraded by doing a complete wipe of the keycloak database, and
>> reinstalling 1.0.1 over my wildly configuration. I am able to use the
>> keycloak admin screens flawlessly.
>> 
>> Now onto my problem.
>> 
>> In 1.0.3-beta I used to have a access type bearer-only application which used
>> the rest api to register and login users to keycloak.
>> 
>> After upgrading I have found that even if I set the application to be
>> bearer-only, keycloak still throws an invalid redirect uri error whenever I
>> try to use the rest end points (surely this should not happen with a
>> bearer-only application). In order to fix this I have moved the application
>> over to access type confidential (it is sitting on the same server as
>> keycloak) - are there any pointers to the correct config for this in 1.0.1?
>> Basically my application is the backend to a mobile app that is using
>> keycloak for access control - at the moment I am not allowed to use the
>> keycloak login/register screens so must proxy it through the server. I am
>> now able to register users using this configuration, but would prefer to go
>> back to bearer-only
> 
> Bearer-only applications should not be able to register or login users at all, they should only be able to authenticate using bearer tokens.
> 
>> 
>> I also have a Direct Grant Only client which I use for the mobile application
>> itself. I am able to get an access token by using the
>> TOKEN_SERVICE_DIRECT_GRANT_PATH via the proxy server but when I try to
>> access a resource with that bearer token set in the header I am still
>> getting an unauthorised response.
>> 
>> My applications keycloak.json looks like this
>> 
>> {
>> "realm" : "shift" ,
>> "realm-public-key" : “ **" ,
>> "auth-server-url" : " http://.../auth " ,
>> "ssl-required" : "none" ,
>> "resource" : "shift-server" ,
>> "credentials" : {
>> "secret" : “ **"
>> }
>> }
>> 
>> and my client JSON looks like this (although this is not put anywhere in my
>> application war)
>> 
>> {
>> "realm": "shift",
>> "realm-public-key": “***",
>> "auth-server-url": " http://.../auth ",
>> "ssl-required": "none",
>> "resource": "shift-ios",
>> "public-client": true
>> }
>> 
>> I can login in with a correct username and password setting the client id to
>> ‘shift-ios’. However when I try to access a protected resource like this
>> 
>> GET /shift/feed HTTP/1.1
>> Host: www…..com
>> Connection: keep-alive
>> Accept: */*
>> User-Agent: shift-ios-client/1.0 CFNetwork/711.0.6 Darwin/14.0.0
>> Accept-Language: en-us
>> Authorization: Bearer
>> eyJhbGciOiJSUzI1NiJ9.eyJuYW………...5lXDBvPGu3bI7msV6Xh34g2PG1E2-d0GchWLFb4kGWofDbexDgIJoP1eeSHnKmahAHHbcl_LZkI3ayKYCgF-o3vfk0yh4T-zptEdK1EHFDndz4SkJlrPsyawueekf1mJD-drilFlL55nLIfFqjpaNdQDr5R3lAjUb0
>> Accept-Encoding: gzip, deflate
>> 
>> where the Bearer header is the access token I get from logging in, then I get
>> a 403 unauthorised response.
> 
> From a 403 it should mean that the application has successfully authenticated the user, but it doesn't have the correct roles.
> 
> Have you checked that the application you used to obtain the login has the required scope, that the user has the required role mappings, and that your bearer-only application is configured to use the correct roles (it can use either the roles associated with the resource or the realm, 'use-resource-role-mappings' configures this and it defaults to false, which mean it uses realm roles).
> 
>> 
>> This used to work perfectly in beta 3, but I seem unable to make this work in
>> 1.0(.1) final.
>> 
>> Could this be because I am using 1.0-core instead of 1.0.1-core
>> 
>> Please help, as this has stopped all work on the product, and I am completely
>> stuck. Whats the best way to go about debugging this?
>> 
>> Conrad
>> 
>> 
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140922/837d04bc/attachment-0001.html 