[keycloak-user] 1.0.1 Problems & Questions

Conrad Winchester conrad at mindless.com
Mon Sep 22 06:17:43 EDT 2014 

I have now also tried using application roles, but unfortunately that did not change the behaviour at all.

Am I supposed to install the client JSON file anywhere?

Conrad


> On 22 Sep 2014, at 09:29, Conrad Winchester <conrad at mindless.com> wrote:
> 
> Thanks for this very informative answer.
> 
> I will stick with the application being confidential as you have explained that this is more correct.
> 
> However, WRT roles. 
> 
> I have a realm role defined as ‘user’
> The client Has this role as an ‘Effective role’ in the admin screens. Full scope allowed is off, and there are no application roles assigned (nor are they available)
> I have the following in my web.xml
> 
> <security-constraint>
>     <web-resource-collection>
>         <web-resource-name>shift</web-resource-name>
>         <url-pattern>/*</url-pattern>
>     </web-resource-collection>
>     <auth-constraint>
>         <role-name>user</role-name>
>     </auth-constraint>
> </security-constraint>
> and
> 
> <login-config>
>     <auth-method>KEYCLOAK</auth-method>
>     <realm-name>shift</realm-name>
> </login-config>
> 
> <security-role>
>     <role-name>user</role-name>
> </security-role>
> Is this correct? Have I missed something.
> 
> BTW Thanks for the help and thanks for Keycloak - It really is awesome!
> 
> Conrad
> 
>> On 22 Sep 2014, at 09:05, Stian Thorgersen <stian at redhat.com <mailto:stian at redhat.com>> wrote:
>> 
>> 
>> 
>> ----- Original Message -----
>>> From: "Conrad Winchester" <conrad at mindless.com <mailto:conrad at mindless.com>>
>>> To: keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>> Sent: Monday, 22 September, 2014 8:45:11 AM
>>> Subject: [keycloak-user] 1.0.1 Problems & Questions
>>> 
>>> Hi all,
>>> 
>>> I have just upgrade from 1.0-beta 3 to 1.0.1 final and am running into some
>>> serious issues.
>>> 
>>> First a question: when will keycloak-core 1.0.1 be available from maven
>>> central? I am having to use 1.0-final in my war - is that compatible with
>>> 1.0.1 keycloak war - which is running on my server.
>> 
>> Should have been there by now (it should be synced within 24h of a release), I've contacted the guys in charge to figure out what's going on. In the mean time you could add JBoss Nexus (https://developer.jboss.org/wiki/MavenRepository <https://developer.jboss.org/wiki/MavenRepository>) and get it from there.
>> 
>>> 
>>> I upgraded by doing a complete wipe of the keycloak database, and
>>> reinstalling 1.0.1 over my wildly configuration. I am able to use the
>>> keycloak admin screens flawlessly.
>>> 
>>> Now onto my problem.
>>> 
>>> In 1.0.3-beta I used to have a access type bearer-only application which used
>>> the rest api to register and login users to keycloak.
>>> 
>>> After upgrading I have found that even if I set the application to be
>>> bearer-only, keycloak still throws an invalid redirect uri error whenever I
>>> try to use the rest end points (surely this should not happen with a
>>> bearer-only application). In order to fix this I have moved the application
>>> over to access type confidential (it is sitting on the same server as
>>> keycloak) - are there any pointers to the correct config for this in 1.0.1?
>>> Basically my application is the backend to a mobile app that is using
>>> keycloak for access control - at the moment I am not allowed to use the
>>> keycloak login/register screens so must proxy it through the server. I am
>>> now able to register users using this configuration, but would prefer to go
>>> back to bearer-only
>> 
>> Bearer-only applications should not be able to register or login users at all, they should only be able to authenticate using bearer tokens.
>> 
>>> 
>>> I also have a Direct Grant Only client which I use for the mobile application
>>> itself. I am able to get an access token by using the
>>> TOKEN_SERVICE_DIRECT_GRANT_PATH via the proxy server but when I try to
>>> access a resource with that bearer token set in the header I am still
>>> getting an unauthorised response.
>>> 
>>> My applications keycloak.json looks like this
>>> 
>>> {
>>> "realm" : "shift" ,
>>> "realm-public-key" : “ **" ,
>>> "auth-server-url" : " http://.../auth <http://.../auth> " ,
>>> "ssl-required" : "none" ,
>>> "resource" : "shift-server" ,
>>> "credentials" : {
>>> "secret" : “ **"
>>> }
>>> }
>>> 
>>> and my client JSON looks like this (although this is not put anywhere in my
>>> application war)
>>> 
>>> {
>>> "realm": "shift",
>>> "realm-public-key": “***",
>>> "auth-server-url": " http://.../auth <http://.../auth> ",
>>> "ssl-required": "none",
>>> "resource": "shift-ios",
>>> "public-client": true
>>> }
>>> 
>>> I can login in with a correct username and password setting the client id to
>>> ‘shift-ios’. However when I try to access a protected resource like this
>>> 
>>> GET /shift/feed HTTP/1.1
>>> Host: www…..com
>>> Connection: keep-alive
>>> Accept: */*
>>> User-Agent: shift-ios-client/1.0 CFNetwork/711.0.6 Darwin/14.0.0
>>> Accept-Language: en-us
>>> Authorization: Bearer
>>> eyJhbGciOiJSUzI1NiJ9.eyJuYW………...5lXDBvPGu3bI7msV6Xh34g2PG1E2-d0GchWLFb4kGWofDbexDgIJoP1eeSHnKmahAHHbcl_LZkI3ayKYCgF-o3vfk0yh4T-zptEdK1EHFDndz4SkJlrPsyawueekf1mJD-drilFlL55nLIfFqjpaNdQDr5R3lAjUb0
>>> Accept-Encoding: gzip, deflate
>>> 
>>> where the Bearer header is the access token I get from logging in, then I get
>>> a 403 unauthorised response.
>> 
>> From a 403 it should mean that the application has successfully authenticated the user, but it doesn't have the correct roles.
>> 
>> Have you checked that the application you used to obtain the login has the required scope, that the user has the required role mappings, and that your bearer-only application is configured to use the correct roles (it can use either the roles associated with the resource or the realm, 'use-resource-role-mappings' configures this and it defaults to false, which mean it uses realm roles).
>> 
>>> 
>>> This used to work perfectly in beta 3, but I seem unable to make this work in
>>> 1.0(.1) final.
>>> 
>>> Could this be because I am using 1.0-core instead of 1.0.1-core
>>> 
>>> Please help, as this has stopped all work on the product, and I am completely
>>> stuck. Whats the best way to go about debugging this?
>>> 
>>> Conrad
>>> 
>>> 
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140922/38b6ebb3/attachment.html

More information about the keycloak-user mailing list