[keycloak-user] broker saml - forbidden

java at neposoft.com java at neposoft.com
Wed Oct 5 15:01:51 EDT 2016 

Yes, auth-constraint/role-name in web.xml.
I've tried creating Roles (same name as the app) at Realm level , as well
at 'client' level - no change, same error.
Any more clues - appreciate it.


> For your application, does the security constraint require a role?  My
> guess is that the token does not have the role required by the security
> constraint in your application.
>
>
> On 10/5/16 7:48 AM, java at neposoft.com wrote:
>> This is happening in OAuthRequestAuthenticator.java
>> code snippet:
>> ===
>>   try {
>>              // For COOKIE store we don't have httpSessionId and single
>> sign-out won't be available
>>              String httpSessionId = deployment.getTokenStore() ==
>> TokenStore.SESSION ?
>> reqAuthenticator.changeHttpSessionId(true) : null;
>>              tokenResponse =
>> ServerRequest.invokeAccessCodeToToken(deployment, code,
>> strippedOauthParametersRequestUri, httpSessionId);
>>          } catch (ServerRequest.HttpFailure failure) {
>>              log.error("failed to turn code into token");
>>              log.error("status from server: " + failure.getStatus());
>>              if (failure.getStatus() == 400 && failure.getError() !=
>> null) {
>>                  log.error("   " + failure.getError());
>>              }
>>              return challenge(403,
>> OIDCAuthenticationError.Reason.CODE_TO_TOKEN_FAILURE, null);
>>
>> ===
>>
>>> Further more:
>>> I am seeing in keycloak logs:
>>> 07:28:21,115 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator]
>>> (default task-2) failed to turn code into token
>>> 07:28:21,117 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator]
>>> (default task-2) status from server: 403
>>>
>>> This is happening after the handshake done with Idp and returned back
>>> to
>>> keycloak oidc.
>>>
>>> anyone has any tips.
>>> Appreciate it.
>>>
>>>
>>>> Hi
>>>> I'm implementing a solution as shown saml-broker-authentication,
>>>> trying
>>>> to
>>>> protect a war (spring-rest).
>>>> All configured fine, Keycloak-saml-idp returns fine, am getting a OIDC
>>>> tocken back from Keycloak , but when it returns back to the URL I was
>>>> initially hit, I get forbidden.
>>>> Anyone gone through this pain - any tips? Thank you.
>>>> John
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

More information about the keycloak-user mailing list