[keycloak-user] AccessToken authorization is always null using Jetty adapter
Gabriel Trisca
gtrisca at cignifi.com
Fri Mar 24 19:22:10 EDT 2017
Hello,
I'm attempting to set up resource permission enforcement on a simple
Dropwizard application (Jersey->Jetty).
I believe the PolicyEnforcer is set up correctly, because I see debugging
info along these lines:
DEBUG [19:04:23.574] [dw-41] o.k.a.PreAuthActionsHandler - adminRequest
http://localhost:9090/v1/XXXX
DEBUG [19:04:23.601] [dw-41] o.k.a.j.c.JettyRequestAuthenticator -
Completing bearer authentication. Bearer roles: [uma_authorization]
DEBUG [19:04:23.601] [dw-41] o.k.a.RequestAuthenticator - User
'c9e8208e-56f5-42e0-9efb-f8d05600f5de' invoking '
http://localhost:9090/v1/XXXX' on client 'XXXX-api'
DEBUG [19:04:23.601] [dw-41] o.k.a.RequestAuthenticator - Bearer
AUTHENTICATED
DEBUG [19:04:27.781] [dw-41] o.k.a.AuthenticatedActionsHandler -
AuthenticatedActionsValve.invoke http://localhost:9090/v1/XXXX
DEBUG [19:04:30.341] [dw-41] o.k.a.a.PolicyEnforcer - Policy enforcement
is enable. Enforcing policy decisions for path [
http://localhost:9090/v1/XXXX].
DEBUG [19:05:22.741] [dw-41] o.k.a.a.AbstractPolicyEnforcer - Checking
permissions for path [http://localhost:9090/v1/XXXX] with config
[PathConfig{name='XXXX Resources', type='uma:XXXXXX', path='/v1/XXXX/*',
scopes=[], id='43bd3cdf-c15b-487a-a259-79e8de00d764',
enforcerMode='ENFORCING'}].
DEBUG [19:11:56.719] [dw-41] o.k.a.a.PolicyEnforcer - Policy enforcement
result for path [http://localhost:9090/v1/XXXX] is : DENIED
DEBUG [19:11:56.719] [dw-41] o.k.a.a.PolicyEnforcer - Returning
authorization context with permissions:
127.0.0.1 - c9e8208e-56f5-42e0-9efb-f8d05600f5de [24/Mar/2017:23:11:56
+0000] "GET /v1/XXXX HTTP/1.1" 401 0 "-" "Mozilla/5.0 (X11; Linux x86_64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
453164
Specifically, the error occurs when Keycloak attempts to retrieve an
"Authorization" object from the AccessToken. This authorization object is
always null and the permissions cannot be loaded.
Without permissions, the request is marked as Unauthorized.
Is there something that I'm missing here? As far as I know everything is
configured correctly, I can evaluate policies on the Keycloak admin
console, and the client is set up as access type "confidential". I can see
the resource definitions from Keycloak being loaded when the app launches.
Any help greatly appreciated.
--
*Gabriel Trisca, Software Developer*
Cignifi | 101 Main Street, 14th Floor, Cambridge, MA 02142 USA
More information about the keycloak-user
mailing list