[keycloak-user] 1.0.1 Problems & Questions

Mon Sep 22 09:32:12 EDT 2014

Hi Stian

I am loggin in using the direct grant rest end point with client id as shift-ios

The token I get back looks like this

2014-09-22 14:25:34,795 INFO  [com.shift.service.oauth.KeycloakAuthAdapter] (default task-1) Logged in with access token {"jti":"c78a0ec1-54fe-40c4-a2c7-d8e58129bf22","exp":1411392634,"nbf":0,"iat":1411392334,"iss":"shift","aud":"shift","sub":"9cff1b29-fb58-4b53-b4ce-ac79eb355843","azp":"shift-ios","session_state":"cc0559f9-78a2-4951-afac-48bee4fa9a23","allowed-origins":[],"resource_access":{}}

Does that help?

Thanks

Conrad

> On 22 Sep 2014, at 13:28, Stian Thorgersen <stian at redhat.com> wrote:
> 
> How do you obtain the token? It seems you have two different ways to do this 
> 
> 1) login using KC forms with 'shift-server'
> 2) login using direct grant with 'shift-ios'
> 
> Is this correct? If so both 'shift-server' and 'shift-ios' has to have a scope on the 'user' realm role. With 'shift-ios' as you're not using any of our adapters you don't need to install the client json for that anywhere. You obviously do need the json config for 'shift-server' (or use the WildFly subsystem to configure through standalone.xml).
> 
> If you have the bearer token available you can check the contents of it with:
> 
>  System.out.println(new org.keycloak.jose.jws.JWSInput(token).readContentAsString());
> 
> It would be helpful if you could send that to me.
> 
> ----- Original Message -----
>> From: "Conrad Winchester" <conrad at mindless.com>
>> To: "Conrad Winchester" <conrad at mindless.com>
>> Cc: keycloak-user at lists.jboss.org
>> Sent: Monday, 22 September, 2014 12:17:43 PM
>> Subject: Re: [keycloak-user] 1.0.1 Problems & Questions
>> 
>> I have now also tried using application roles, but unfortunately that did not
>> change the behaviour at all.
>> 
>> Am I supposed to install the client JSON file anywhere?
>> 
>> Conrad
>> 
>> 
>> 
>> 
>> 
>> On 22 Sep 2014, at 09:29, Conrad Winchester < conrad at mindless.com > wrote
>> 
>> Thanks for this very informative answer.
>> 
>> I will stick with the application being confidential as you have explained
>> that this is more correct.
>> 
>> However, WRT roles.
>> 
>> I have a realm role defined as ‘user’
>> The client Has this role as an ‘Effective role’ in the admin screens. Full
>> scope allowed is off, and there are no application roles assigned (nor are
>> they available)
>> I have the following in my web.xml
>> 
>> <security-constraint>
>> <web-resource-collection>
>> <web-resource-name> shift </web-resource-name>
>> <url-pattern> /* </url-pattern>
>> </web-resource-collection>
>> <auth-constraint>
>> <role-name> user </role-name>
>> </auth-constraint>
>> </security-constraint>
>> and
>> 
>> <login-config>
>> <auth-method> KEYCLOAK </auth-method>
>> <realm-name> shift </realm-name>
>> </login-config>
>> 
>> <security-role>
>> <role-name> user </role-name>
>> </security-role>
>> Is this correct? Have I missed something.
>> 
>> BTW Thanks for the help and thanks for Keycloak - It really is awesome!
>> 
>> Conrad
>> 
>> 
>> 
>> 
>> On 22 Sep 2014, at 09:05, Stian Thorgersen < stian at redhat.com > wrote:
>> 
>> 
>> 
>> ----- Original Message -----
>> 
>> 
>> From: "Conrad Winchester" < conrad at mindless.com >
>> To: keycloak-user at lists.jboss.org
>> Sent: Monday, 22 September, 2014 8:45:11 AM
>> Subject: [keycloak-user] 1.0.1 Problems & Questions
>> 
>> Hi all,
>> 
>> I have just upgrade from 1.0-beta 3 to 1.0.1 final and am running into some
>> serious issues.
>> 
>> First a question: when will keycloak-core 1.0.1 be available from maven
>> central? I am having to use 1.0-final in my war - is that compatible with
>> 1.0.1 keycloak war - which is running on my server.
>> 
>> Should have been there by now (it should be synced within 24h of a release),
>> I've contacted the guys in charge to figure out what's going on. In the mean
>> time you could add JBoss Nexus (
>> https://developer.jboss.org/wiki/MavenRepository ) and get it from there.
>> 
>> 
>> 
>> 
>> I upgraded by doing a complete wipe of the keycloak database, and
>> reinstalling 1.0.1 over my wildly configuration. I am able to use the
>> keycloak admin screens flawlessly.
>> 
>> Now onto my problem.
>> 
>> In 1.0.3-beta I used to have a access type bearer-only application which used
>> the rest api to register and login users to keycloak.
>> 
>> After upgrading I have found that even if I set the application to be
>> bearer-only, keycloak still throws an invalid redirect uri error whenever I
>> try to use the rest end points (surely this should not happen with a
>> bearer-only application). In order to fix this I have moved the application
>> over to access type confidential (it is sitting on the same server as
>> keycloak) - are there any pointers to the correct config for this in 1.0.1?
>> Basically my application is the backend to a mobile app that is using
>> keycloak for access control - at the moment I am not allowed to use the
>> keycloak login/register screens so must proxy it through the server. I am
>> now able to register users using this configuration, but would prefer to go
>> back to bearer-only
>> 
>> Bearer-only applications should not be able to register or login users at
>> all, they should only be able to authenticate using bearer tokens.
>> 
>> 
>> 
>> 
>> I also have a Direct Grant Only client which I use for the mobile application
>> itself. I am able to get an access token by using the
>> TOKEN_SERVICE_DIRECT_GRANT_PATH via the proxy server but when I try to
>> access a resource with that bearer token set in the header I am still
>> getting an unauthorised response.
>> 
>> My applications keycloak.json looks like this
>> 
>> {
>> "realm" : "shift" ,
>> "realm-public-key" : “ **" ,
>> "auth-server-url" : " http://.../auth " ,
>> "ssl-required" : "none" ,
>> "resource" : "shift-server" ,
>> "credentials" : {
>> "secret" : “ **"
>> }
>> }
>> 
>> and my client JSON looks like this (although this is not put anywhere in my
>> application war)
>> 
>> {
>> "realm": "shift",
>> "realm-public-key": “***",
>> "auth-server-url": " http://.../auth ",
>> "ssl-required": "none",
>> "resource": "shift-ios",
>> "public-client": true
>> }
>> 
>> I can login in with a correct username and password setting the client id to
>> ‘shift-ios’. However when I try to access a protected resource like this
>> 
>> GET /shift/feed HTTP/1.1
>> Host: www…..com
>> Connection: keep-alive
>> Accept: */*
>> User-Agent: shift-ios-client/1.0 CFNetwork/711.0.6 Darwin/14.0.0
>> Accept-Language: en-us
>> Authorization: Bearer
>> eyJhbGciOiJSUzI1NiJ9.eyJuYW………...5lXDBvPGu3bI7msV6Xh34g2PG1E2-d0GchWLFb4kGWofDbexDgIJoP1eeSHnKmahAHHbcl_LZkI3ayKYCgF-o3vfk0yh4T-zptEdK1EHFDndz4SkJlrPsyawueekf1mJD-drilFlL55nLIfFqjpaNdQDr5R3lAjUb0
>> Accept-Encoding: gzip, deflate
>> 
>> where the Bearer header is the access token I get from logging in, then I get
>> a 403 unauthorised response.
>> 
>> From a 403 it should mean that the application has successfully authenticated
>> the user, but it doesn't have the correct roles.
>> 
>> Have you checked that the application you used to obtain the login has the
>> required scope, that the user has the required role mappings, and that your
>> bearer-only application is configured to use the correct roles (it can use
>> either the roles associated with the resource or the realm,
>> 'use-resource-role-mappings' configures this and it defaults to false, which
>> mean it uses realm roles).
>> 
>> 
>> 
>> 
>> This used to work perfectly in beta 3, but I seem unable to make this work in
>> 1.0(.1) final.
>> 
>> Could this be because I am using 1.0-core instead of 1.0.1-core
>> 
>> Please help, as this has stopped all work on the product, and I am completely
>> stuck. Whats the best way to go about debugging this?
>> 
>> Conrad
>> 
>> 
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> 
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> 
>> 
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140922/43fe3457/attachment.html 