[keycloak-user] broker saml - forbidden

Bill Burke bburke at redhat.com
Wed Oct 5 09:37:37 EDT 2016 

For your application, does the security constraint require a role?  My 
guess is that the token does not have the role required by the security 
constraint in your application.


On 10/5/16 7:48 AM, java at neposoft.com wrote:
> This is happening in OAuthRequestAuthenticator.java
> code snippet:
> ===
>   try {
>              // For COOKIE store we don't have httpSessionId and single
> sign-out won't be available
>              String httpSessionId = deployment.getTokenStore() ==
> TokenStore.SESSION ?
> reqAuthenticator.changeHttpSessionId(true) : null;
>              tokenResponse =
> ServerRequest.invokeAccessCodeToToken(deployment, code,
> strippedOauthParametersRequestUri, httpSessionId);
>          } catch (ServerRequest.HttpFailure failure) {
>              log.error("failed to turn code into token");
>              log.error("status from server: " + failure.getStatus());
>              if (failure.getStatus() == 400 && failure.getError() != null) {
>                  log.error("   " + failure.getError());
>              }
>              return challenge(403,
> OIDCAuthenticationError.Reason.CODE_TO_TOKEN_FAILURE, null);
>
> ===
>
>> Further more:
>> I am seeing in keycloak logs:
>> 07:28:21,115 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator]
>> (default task-2) failed to turn code into token
>> 07:28:21,117 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator]
>> (default task-2) status from server: 403
>>
>> This is happening after the handshake done with Idp and returned back to
>> keycloak oidc.
>>
>> anyone has any tips.
>> Appreciate it.
>>
>>
>>> Hi
>>> I'm implementing a solution as shown saml-broker-authentication, trying
>>> to
>>> protect a war (spring-rest).
>>> All configured fine, Keycloak-saml-idp returns fine, am getting a OIDC
>>> tocken back from Keycloak , but when it returns back to the URL I was
>>> initially hit, I get forbidden.
>>> Anyone gone through this pain - any tips? Thank you.
>>> John
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list