[keycloak-user] 1.0.1 Problems & Questions

Stian Thorgersen stian at redhat.com
Mon Sep 22 08:28:02 EDT 2014 

How do you obtain the token? It seems you have two different ways to do this 

1) login using KC forms with 'shift-server'
2) login using direct grant with 'shift-ios'

Is this correct? If so both 'shift-server' and 'shift-ios' has to have a scope on the 'user' realm role. With 'shift-ios' as you're not using any of our adapters you don't need to install the client json for that anywhere. You obviously do need the json config for 'shift-server' (or use the WildFly subsystem to configure through standalone.xml).

If you have the bearer token available you can check the contents of it with:

  System.out.println(new org.keycloak.jose.jws.JWSInput(token).readContentAsString());

It would be helpful if you could send that to me.

----- Original Message -----
> From: "Conrad Winchester" <conrad at mindless.com>
> To: "Conrad Winchester" <conrad at mindless.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Monday, 22 September, 2014 12:17:43 PM
> Subject: Re: [keycloak-user] 1.0.1 Problems & Questions
> 
> I have now also tried using application roles, but unfortunately that did not
> change the behaviour at all.
> 
> Am I supposed to install the client JSON file anywhere?
> 
> Conrad
> 
> 
> 
> 
> 
> On 22 Sep 2014, at 09:29, Conrad Winchester < conrad at mindless.com > wrote
> 
> Thanks for this very informative answer.
> 
> I will stick with the application being confidential as you have explained
> that this is more correct.
> 
> However, WRT roles.
> 
> I have a realm role defined as ‘user’
> The client Has this role as an ‘Effective role’ in the admin screens. Full
> scope allowed is off, and there are no application roles assigned (nor are
> they available)
> I have the following in my web.xml
> 
> <security-constraint>
> <web-resource-collection>
> <web-resource-name> shift </web-resource-name>
> <url-pattern> /* </url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name> user </role-name>
> </auth-constraint>
> </security-constraint>
> and
> 
> <login-config>
> <auth-method> KEYCLOAK </auth-method>
> <realm-name> shift </realm-name>
> </login-config>
> 
> <security-role>
> <role-name> user </role-name>
> </security-role>
> Is this correct? Have I missed something.
> 
> BTW Thanks for the help and thanks for Keycloak - It really is awesome!
> 
> Conrad
> 
> 
> 
> 
> On 22 Sep 2014, at 09:05, Stian Thorgersen < stian at redhat.com > wrote:
> 
> 
> 
> ----- Original Message -----
> 
> 
> From: "Conrad Winchester" < conrad at mindless.com >
> To: keycloak-user at lists.jboss.org
> Sent: Monday, 22 September, 2014 8:45:11 AM
> Subject: [keycloak-user] 1.0.1 Problems & Questions
> 
> Hi all,
> 
> I have just upgrade from 1.0-beta 3 to 1.0.1 final and am running into some
> serious issues.
> 
> First a question: when will keycloak-core 1.0.1 be available from maven
> central? I am having to use 1.0-final in my war - is that compatible with
> 1.0.1 keycloak war - which is running on my server.
> 
> Should have been there by now (it should be synced within 24h of a release),
> I've contacted the guys in charge to figure out what's going on. In the mean
> time you could add JBoss Nexus (
> https://developer.jboss.org/wiki/MavenRepository ) and get it from there.
> 
> 
> 
> 
> I upgraded by doing a complete wipe of the keycloak database, and
> reinstalling 1.0.1 over my wildly configuration. I am able to use the
> keycloak admin screens flawlessly.
> 
> Now onto my problem.
> 
> In 1.0.3-beta I used to have a access type bearer-only application which used
> the rest api to register and login users to keycloak.
> 
> After upgrading I have found that even if I set the application to be
> bearer-only, keycloak still throws an invalid redirect uri error whenever I
> try to use the rest end points (surely this should not happen with a
> bearer-only application). In order to fix this I have moved the application
> over to access type confidential (it is sitting on the same server as
> keycloak) - are there any pointers to the correct config for this in 1.0.1?
> Basically my application is the backend to a mobile app that is using
> keycloak for access control - at the moment I am not allowed to use the
> keycloak login/register screens so must proxy it through the server. I am
> now able to register users using this configuration, but would prefer to go
> back to bearer-only
> 
> Bearer-only applications should not be able to register or login users at
> all, they should only be able to authenticate using bearer tokens.
> 
> 
> 
> 
> I also have a Direct Grant Only client which I use for the mobile application
> itself. I am able to get an access token by using the
> TOKEN_SERVICE_DIRECT_GRANT_PATH via the proxy server but when I try to
> access a resource with that bearer token set in the header I am still
> getting an unauthorised response.
> 
> My applications keycloak.json looks like this
> 
> {
> "realm" : "shift" ,
> "realm-public-key" : “ **" ,
> "auth-server-url" : " http://.../auth " ,
> "ssl-required" : "none" ,
> "resource" : "shift-server" ,
> "credentials" : {
> "secret" : “ **"
> }
> }
> 
> and my client JSON looks like this (although this is not put anywhere in my
> application war)
> 
> {
> "realm": "shift",
> "realm-public-key": “***",
> "auth-server-url": " http://.../auth ",
> "ssl-required": "none",
> "resource": "shift-ios",
> "public-client": true
> }
> 
> I can login in with a correct username and password setting the client id to
> ‘shift-ios’. However when I try to access a protected resource like this
> 
> GET /shift/feed HTTP/1.1
> Host: www…..com
> Connection: keep-alive
> Accept: */*
> User-Agent: shift-ios-client/1.0 CFNetwork/711.0.6 Darwin/14.0.0
> Accept-Language: en-us
> Authorization: Bearer
> eyJhbGciOiJSUzI1NiJ9.eyJuYW………...5lXDBvPGu3bI7msV6Xh34g2PG1E2-d0GchWLFb4kGWofDbexDgIJoP1eeSHnKmahAHHbcl_LZkI3ayKYCgF-o3vfk0yh4T-zptEdK1EHFDndz4SkJlrPsyawueekf1mJD-drilFlL55nLIfFqjpaNdQDr5R3lAjUb0
> Accept-Encoding: gzip, deflate
> 
> where the Bearer header is the access token I get from logging in, then I get
> a 403 unauthorised response.
> 
> From a 403 it should mean that the application has successfully authenticated
> the user, but it doesn't have the correct roles.
> 
> Have you checked that the application you used to obtain the login has the
> required scope, that the user has the required role mappings, and that your
> bearer-only application is configured to use the correct roles (it can use
> either the roles associated with the resource or the realm,
> 'use-resource-role-mappings' configures this and it defaults to false, which
> mean it uses realm roles).
> 
> 
> 
> 
> This used to work perfectly in beta 3, but I seem unable to make this work in
> 1.0(.1) final.
> 
> Could this be because I am using 1.0-core instead of 1.0.1-core
> 
> Please help, as this has stopped all work on the product, and I am completely
> stuck. Whats the best way to go about debugging this?
> 
> Conrad
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list