[keycloak-user] Issue with Bearer only auth

Stian Thorgersen sthorger at redhat.com
Fri Nov 6 09:06:27 EST 2015 

So it's working now?

No auth-constraint = no need to authenticate ;)

On 6 November 2015 at 14:06, Tero Ahonen <Tero.Ahonen at cybercom.com> wrote:

> At first I had
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>foobar</web-resource-name>
> <url-pattern>/*</url-pattern>
> <http-method>GET</http-method>
>              <http-method>POST</http-method>
> </web-resource-collection>
> <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
>
> Then added
>
> <auth-constraint>
> <role-name>*</role-name>
> </auth-constraint>
>
> And it started working.
>
> So without auth-constraint all request are ok even token is not present or
> valid.
>
> Br,
> Tero
>
>
>
>
> On 06 Nov 2015, at 14:59 PM, Stian Thorgersen <sthorger at redhat.com> wrote:
>
> Did you put any security constraints on the endpoints?
>
> On 6 November 2015 at 12:36, Tero Ahonen <Tero.Ahonen at cybercom.com> wrote:
>
>> Hi,
>>
>> I have a rest endpoint running on wildfly 9.
>>
>> Wildfly and application is setup to use Keycloak and request to endpoints
>> are intercepted with keycloak adapter. But is seems to be that it is not
>> working. If auth header is not present keycloak just skips authentication
>> and lets all request thru. It doesn’t matter do I use curl or browser.
>>
>> Wilfly logs says (last line comes from servlet filter)
>>
>> 2015-11-06 13:10:23,962 DEBUG
>> [org.keycloak.adapters.PreAuthActionsHandler] (default task-17)
>> adminRequest https://localhost:8443/foobar/endpoint
>> 2015-11-06 13:10:23,969 TRACE
>> [org.keycloak.adapters.RequestAuthenticator] (default task-17) -->
>> authenticate()
>> 2015-11-06 13:10:23,969 TRACE
>> [org.keycloak.adapters.RequestAuthenticator] (default task-17) try bearer
>> 2015-11-06 13:10:23,969 DEBUG
>> [org.keycloak.adapters.RequestAuthenticator] (default task-17)
>> NOT_ATTEMPTED: bearer only
>> 2015-11-06 13:10:23,970 DEBUG
>> [org.keycloak.adapters.AuthenticatedActionsHandler] (default task-17)
>> AuthenticatedActionsValve.invoke https://localhost:8443/foobar/endpoint
>> 2015-11-06 13:10:23,970 INFO  [stdout] (default task-17)
>> GET:/foobar/endpoint
>>
>>
>> If I add Authorization headar like this
>>
>> Authorization: Bearer 123
>>
>> I get HTTP/1.1 401 Unauthorized
>>
>> WWW-Authenticate: Bearer realm="saas-pilot", error="invalid_token",
>> error_description="Couldn't parse token”
>>
>>
>> Is there something that I dont understand?
>>
>> I have tried with web.xml/keycloak.json and keycloak subsystem
>> configuration methods, same outcome.
>>
>> Br,
>> Tero
>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151106/6a46caed/attachment.html

More information about the keycloak-user mailing list