[keycloak-user] 1.0.1 Problems & Questions

Stian Thorgersen stian at redhat.com
Tue Sep 23 02:56:48 EDT 2014 


----- Original Message -----
> From: "Conrad Winchester" <conrad at mindless.com>
> To: keycloak-user at lists.jboss.org
> Sent: Monday, 22 September, 2014 7:58:08 PM
> Subject: Re: [keycloak-user] 1.0.1 Problems & Questions
> 
> Hi Stian
> 
> I worked it out.
> 
> I had removed and re-added the user role from the realm after my user had
> registered. It seems that the default role is assigned at registration time
> and so if you change it that change is not reflected in existing users.
> 
> A surprising behaviour, but I can sort of see why that is.

We did it this way as you can do the alternative using a composite role. Basically if you create a composite role 'default-roles' and assign this as a default role, then you can add/remove roles to this and existing users will be updated.

> 
> Conrad
> 
> 
> 
> 
> 
> On 22 Sep 2014, at 18:22, Conrad Winchester < conrad at mindless.com > wrote:
> 
> Hi Stian
> 
> I have made some progress. I have discovered that if I assign the role ‘user’
> to my user account in the ‘role mappings’ section of the keycloak admin
> screens for that user then access to the resources work. The access token
> looks like this
> 
> 2014-09-22 18:13:01,057 INFO [com.shift.service.oauth.KeycloakAuthAdapter]
> (default task-15) Logged in with access token {"name":"shift_141 not
> provided","email":" conrad at chiwestern.com
> ","jti":"997e2a5c-389a-4b57-8a2b-669fcda587f7","exp":1411406281,"nbf":0,"iat":1411405981,"iss":"shift","aud":"shift","sub":"9cff1b29-fb58-4b53-b4ce-ac79eb355843","azp":"shift-ios","given_name":"shift_141","family_name":"not
> provided","preferred_username":" conrad at chiwestern.com
> ","email_verified":false,"session_state":"e0ae4a87-18d1-446a-805e-ad9334a1d648","allowed-origins":[],"realm_access":{"roles":["user"]},"resource_access":{}}
> 
> I get roles:[user]
> 
> Isn’t this supposed to happen automatically if the role ‘user’ is the default
> realm role?
> 
> Thanks
> 
> Conrad
> 
> 
> 
> 
> 
> On 22 Sep 2014, at 14:32, Conrad Winchester < conrad at mindless.com > wrote:
> 
> Hi Stian
> 
> I am loggin in using the direct grant rest end point with client id as
> shift-ios
> 
> The token I get back looks like this
> 
> 2014-09-22 14:25:34,795 INFO [com.shift.service.oauth.KeycloakAuthAdapter]
> (default task-1) Logged in with access token
> {"jti":"c78a0ec1-54fe-40c4-a2c7-d8e58129bf22","exp":1411392634,"nbf":0,"iat":1411392334,"iss":"shift","aud":"shift","sub":"9cff1b29-fb58-4b53-b4ce-ac79eb355843","azp":"shift-ios","session_state":"cc0559f9-78a2-4951-afac-48bee4fa9a23","allowed-origins":[],"resource_access":{}}
> 
> Does that help?
> 
> Thanks
> 
> Conrad
> 
> 
> 
> 
> On 22 Sep 2014, at 13:28, Stian Thorgersen < stian at redhat.com > wrote:
> 
> How do you obtain the token? It seems you have two different ways to do this
> 
> 1) login using KC forms with 'shift-server'
> 2) login using direct grant with 'shift-ios'
> 
> Is this correct? If so both 'shift-server' and 'shift-ios' has to have a
> scope on the 'user' realm role. With 'shift-ios' as you're not using any of
> our adapters you don't need to install the client json for that anywhere.
> You obviously do need the json config for 'shift-server' (or use the WildFly
> subsystem to configure through standalone.xml).
> 
> If you have the bearer token available you can check the contents of it with:
> 
> System.out.println(new
> org.keycloak.jose.jws.JWSInput(token).readContentAsString());
> 
> It would be helpful if you could send that to me.
> 
> ----- Original Message -----
> 
> 
> From: "Conrad Winchester" < conrad at mindless.com >
> To: "Conrad Winchester" < conrad at mindless.com >
> Cc: keycloak-user at lists.jboss.org
> Sent: Monday, 22 September, 2014 12:17:43 PM
> Subject: Re: [keycloak-user] 1.0.1 Problems & Questions
> 
> I have now also tried using application roles, but unfortunately that did not
> change the behaviour at all.
> 
> Am I supposed to install the client JSON file anywhere?
> 
> Conrad
> 
> 
> 
> 
> 
> On 22 Sep 2014, at 09:29, Conrad Winchester < conrad at mindless.com > wrote
> 
> Thanks for this very informative answer.
> 
> I will stick with the application being confidential as you have explained
> that this is more correct.
> 
> However, WRT roles.
> 
> I have a realm role defined as ‘user’
> The client Has this role as an ‘Effective role’ in the admin screens. Full
> scope allowed is off, and there are no application roles assigned (nor are
> they available)
> I have the following in my web.xml
> 
> <security-constraint>
> <web-resource-collection>
> <web-resource-name> shift </web-resource-name>
> <url-pattern> /* </url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name> user </role-name>
> </auth-constraint>
> </security-constraint>
> and
> 
> <login-config>
> <auth-method> KEYCLOAK </auth-method>
> <realm-name> shift </realm-name>
> </login-config>
> 
> <security-role>
> <role-name> user </role-name>
> </security-role>
> Is this correct? Have I missed something.
> 
> BTW Thanks for the help and thanks for Keycloak - It really is awesome!
> 
> Conrad
> 
> 
> 
> 
> On 22 Sep 2014, at 09:05, Stian Thorgersen < stian at redhat.com > wrote:
> 
> 
> 
> ----- Original Message -----
> 
> 
> From: "Conrad Winchester" < conrad at mindless.com >
> To: keycloak-user at lists.jboss.org
> Sent: Monday, 22 September, 2014 8:45:11 AM
> Subject: [keycloak-user] 1.0.1 Problems & Questions
> 
> Hi all,
> 
> I have just upgrade from 1.0-beta 3 to 1.0.1 final and am running into some
> serious issues.
> 
> First a question: when will keycloak-core 1.0.1 be available from maven
> central? I am having to use 1.0-final in my war - is that compatible with
> 1.0.1 keycloak war - which is running on my server.
> 
> Should have been there by now (it should be synced within 24h of a release),
> I've contacted the guys in charge to figure out what's going on. In the mean
> time you could add JBoss Nexus (
> https://developer.jboss.org/wiki/MavenRepository ) and get it from there.
> 
> 
> 
> 
> I upgraded by doing a complete wipe of the keycloak database, and
> reinstalling 1.0.1 over my wildly configuration. I am able to use the
> keycloak admin screens flawlessly.
> 
> Now onto my problem.
> 
> In 1.0.3-beta I used to have a access type bearer-only application which used
> the rest api to register and login users to keycloak.
> 
> After upgrading I have found that even if I set the application to be
> bearer-only, keycloak still throws an invalid redirect uri error whenever I
> try to use the rest end points (surely this should not happen with a
> bearer-only application). In order to fix this I have moved the application
> over to access type confidential (it is sitting on the same server as
> keycloak) - are there any pointers to the correct config for this in 1.0.1?
> Basically my application is the backend to a mobile app that is using
> keycloak for access control - at the moment I am not allowed to use the
> keycloak login/register screens so must proxy it through the server. I am
> now able to register users using this configuration, but would prefer to go
> back to bearer-only
> 
> Bearer-only applications should not be able to register or login users at
> all, they should only be able to authenticate using bearer tokens.
> 
> 
> 
> 
> I also have a Direct Grant Only client which I use for the mobile application
> itself. I am able to get an access token by using the
> TOKEN_SERVICE_DIRECT_GRANT_PATH via the proxy server but when I try to
> access a resource with that bearer token set in the header I am still
> getting an unauthorised response.
> 
> My applications keycloak.json looks like this
> 
> {
> "realm" : "shift" ,
> "realm-public-key" : “ **" ,
> "auth-server-url" : " http://.../auth " ,
> "ssl-required" : "none" ,
> "resource" : "shift-server" ,
> "credentials" : {
> "secret" : “ **"
> }
> }
> 
> and my client JSON looks like this (although this is not put anywhere in my
> application war)
> 
> {
> "realm": "shift",
> "realm-public-key": “***",
> "auth-server-url": " http://.../auth ",
> "ssl-required": "none",
> "resource": "shift-ios",
> "public-client": true
> }
> 
> I can login in with a correct username and password setting the client id to
> ‘shift-ios’. However when I try to access a protected resource like this
> 
> GET /shift/feed HTTP/1.1
> Host: www…..com
> Connection: keep-alive
> Accept: */*
> User-Agent: shift-ios-client/1.0 CFNetwork/711.0.6 Darwin/14.0.0
> Accept-Language: en-us
> Authorization: Bearer
> eyJhbGciOiJSUzI1NiJ9.eyJuYW………...5lXDBvPGu3bI7msV6Xh34g2PG1E2-d0GchWLFb4kGWofDbexDgIJoP1eeSHnKmahAHHbcl_LZkI3ayKYCgF-o3vfk0yh4T-zptEdK1EHFDndz4SkJlrPsyawueekf1mJD-drilFlL55nLIfFqjpaNdQDr5R3lAjUb0
> Accept-Encoding: gzip, deflate
> 
> where the Bearer header is the access token I get from logging in, then I get
> a 403 unauthorised response.
> 
> From a 403 it should mean that the application has successfully authenticated
> the user, but it doesn't have the correct roles.
> 
> Have you checked that the application you used to obtain the login has the
> required scope, that the user has the required role mappings, and that your
> bearer-only application is configured to use the correct roles (it can use
> either the roles associated with the resource or the realm,
> 'use-resource-role-mappings' configures this and it defaults to false, which
> mean it uses realm roles).
> 
> 
> 
> 
> This used to work perfectly in beta 3, but I seem unable to make this work in
> 1.0(.1) final.
> 
> Could this be because I am using 1.0-core instead of 1.0.1-core
> 
> Please help, as this has stopped all work on the product, and I am completely
> stuck. Whats the best way to go about debugging this?
> 
> Conrad
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list