[keycloak-user] [Authorization] Get user roles from token

Pavel Maslov pavel.masloff at gmail.com
Thu Dec 17 04:39:49 EST 2015 

Guys, I am repeating my question here. Any ideas on this?

I added the *org.keycloak.KeycloakPrincipal* definition in order to get the
> token:
>
>
> KeycloakPrincipal kcPrincipal = (KeycloakPrincipal)
> srvl.getUserPrincipal();
> String token = kcPrincipal.getKeycloakSecurityContext().getTokenString();
>
> but cannot deploy the project to the Wildfly server:
>
> 10:23:31,250 INFO  [org.jboss.resteasy.spi.ResteasyDeployment] (MSC
> service thread 1-2) Deploying javax.ws.rs.core.Application: class
> si.liis.apitime.service.ApiTimeApplication
> 10:23:31,282 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-2)
> MSC000001: Failed to start service
> jboss.undertow.deployment.default-server.default-host./apitime-rest:
> org.jboss.msc.service.StartException in service
> jboss.undertow.deployment.default-server.default-host./apitime-rest: Failed
> to start service
> at
> org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1904)
> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> [rt.jar:1.7.0_85]
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> [rt.jar:1.7.0_85]
> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_85]
> Caused by: java.lang.NoClassDefFoundError: com/google/zxing/WriterException
> at java.lang.Class.getDeclaredMethods0(Native Method) [rt.jar:1.7.0_85]
> at java.lang.Class.privateGetDeclaredMethods(Class.java:2625)
> [rt.jar:1.7.0_85]
> at java.lang.Class.privateGetPublicMethods(Class.java:2743)
> [rt.jar:1.7.0_85]
> at java.lang.Class.getMethods(Class.java:1480) [rt.jar:1.7.0_85]
> at
> org.jboss.resteasy.spi.metadata.ResourceBuilder.fromAnnotations(ResourceBuilder.java:747)
> at
> org.jboss.resteasy.spi.metadata.ResourceBuilder.rootResourceFromAnnotations(ResourceBuilder.java:700)
> at
> org.jboss.resteasy.plugins.server.resourcefactory.POJOResourceFactory.<init>(POJOResourceFactory.java:29)
> at
> org.jboss.resteasy.core.ResourceMethodRegistry.addPerRequestResource(ResourceMethodRegistry.java:75)
> at
> org.jboss.resteasy.spi.ResteasyDeployment.registration(ResteasyDeployment.java:400)
> at
> org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:241)
> at
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:112)
> at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
> at
> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
> at
> org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:79)
> at
> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
> at
> io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:220)
> at
> io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:125)
> at
> io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:508)
> at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:88)
> at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.start(UndertowDeploymentService.java:72)
> at
> org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
> at
> org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
> ... 3 more
>
> 10:23:31,285 ERROR [org.jboss.as.controller.management-operation]
> (management-handler-thread - 1) JBAS014613: Operation ("redeploy") failed -
> address: ([("deployment" => "apitime-rest.war")]) - failure description:
> {"JBAS014671: Failed services" =>
> {"jboss.undertow.deployment.default-server.default-host./apitime-rest" =>
> "org.jboss.msc.service.StartException in service
> jboss.undertow.deployment.default-server.default-host./apitime-rest: Failed
> to start service
>     Caused by: java.lang.NoClassDefFoundError:
> com/google/zxing/WriterException"}}
> 10:23:31,285 ERROR [org.jboss.as.server] (management-handler-thread - 1)
> JBAS015860: Redeploy of deployment "apitime-rest.war" was rolled back with
> the following failure message:
> {"JBAS014671: Failed services" =>
> {"jboss.undertow.deployment.default-server.default-host./apitime-rest" =>
> "org.jboss.msc.service.StartException in service
> jboss.undertow.deployment.default-server.default-host./apitime-rest: Failed
> to start service
>     Caused by: java.lang.NoClassDefFoundError:
> com/google/zxing/WriterException"}}
>
>
>
> I am using Wildfly 8.2.0 with Keycloak adapter 1.3.1.
> Any solution?
> Thanks.
>
>
Regards,
Pavel Maslov, MS

On Wed, Dec 16, 2015 at 10:51 PM, Johan B. <johan.bos at c6.eu> wrote:

> You answered it. I was not familiar with the whole setting list. My
> question was: does something in the ui make the setting change or is it a
> manual setup?
> I think you are saying it is only manual and it is fine.
> It would probably best for future version to have all these extra adapter
> setting avail. From admin UI so people has the switch/checkbox or input
> form to make direct application change to the json
> Moreover since you have a download installation button and a json setting
> viewer
>
> Le mercredi 16 décembre 2015, Johan Bos <johan.bos at c6.eu> a écrit :
>
>> oh when you said:
>>
>> use-resource-role-mappings
>>
>> it is only available through the keycloak.json
>>
>> Nothing from Keycloak Admin UI allows you to set the options, so have the installation file ready with everything ?
>>
>> Regards,
>>
>> Johan Bos
>>
>> Le 16/12/2015 16:33, Johan Bos a écrit :
>>
>> So it is one or the other.
>> The switch is at realm level or per clients?
>>
>> As I tend to make realm role for securing the clients only and
>> client/resource roles for internal client management, I should be fine
>>
>> Still It would help to have some merging/mapping so from client we don't
>> have to so much rely on KeyCloak implementation to test roles... Issue is
>> that realm role can have same name as client role. But once there is always
>> some pitfall to avoid.
>>
>> Thanks
>>
>> Regards,
>>
>> Johan Bos
>>
>> Le 16/12/2015 15:45, Bill Burke a écrit :
>>
>> See use-resource-role-mappings switch:
>>
>> If set to true, the getResourceAccess("resource-name") roles will be
>> mapped into isUserInRole, otherwise getRealmAccess is mapped into
>> isUserInRole
>>
>> Not the best I know.  We've been meaning to add some sort of role
>> mapping facility to the adapter.
>>
>> On 12/16/2015 9:17 AM, Johan Bos wrote:
>>
>> Why is HttpRequest.isUserInRole(<role>) not capable to return true when
>> the role is present in the AccessToken.getRealmAccess?
>>
>> Regards,
>>
>> Johan Bos
>>
>> Le 16/12/2015 15:09, Bill Burke a écrit :
>>
>> AccessToken.getResourceAccess or AccessToken.getRealmAccess
>>
>> On 12/16/2015 4:51 AM, Tim Dudgeon wrote:
>>
>> Its not clear to me how you get the assigned roles from the AccessToken.
>> For instance, is the realm has configured the user to have roles "user"
>> and "editor" how do I find these in the AccessToken?
>>
>> Tim
>>
>> On 07/12/2015 02:53, Bill Burke wrote:
>>
>> For Java HttpServletRequest.isUserInRole() works.  If you typecast the
>> principal to KeycloakPrincipal you can obtain the AccessToken.
>>
>> On 12/6/2015 5:39 PM, Pavel Maslov wrote:
>>
>> Hi everyone,
>>
>>
>> Do Keycloak adapters support user authorization? I mean, of course
>> they
>> do :) For example, the API I have secured with Keycloak receives a
>> Keycloak access token from the client. How can I validate the token
>> (check user roles) in my code? I am interested in the Java
>> (wildfly) and
>> Javascript adapters.
>>
>> Manually I am using jwt.io <http://jwt.io> <http://jwt.io> to check the
>> token. I am
>> just
>> curious if the Keycloak adapters support smth similar out of the box.
>>
>> Thank you for your answers.
>>
>>
>> Regards,
>> Pavel Maslov, MS
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151217/c1ddf21a/attachment-0001.html

More information about the keycloak-user mailing list