[keycloak-user] AccessToken authorization is always null using Jetty adapter

Gabriel Trisca gtrisca at cignifi.com
Tue Mar 28 13:00:24 EDT 2017 

Hi Pedro,

It seems like this problem was due to a misunderstanding on how the
bearer-only configuration works. It never goes to the server to request
additional Authorizations, so anything that is not in the access token is
automatically marked as DENIED.

Setting bearer-only to false made the authorization work by using
either KeycloakAdapterPolicyEnforcer
or BearerTokenPolicyEnforcer.

Thanks!

On Mon, Mar 27, 2017 at 10:01 AM, Pedro Igor Silva <psilva at redhat.com>
wrote:

> Hey Gabriel, thanks for looking this.
>
> The configuration happens on org.keycloak.adapters.autho
> rization.PolicyEnforcer.
>
> Regards.
> Pedro Igor
>
> On Mon, Mar 27, 2017 at 9:43 AM, Gabriel Trisca <gtrisca at cignifi.com>
> wrote:
>
>> Hi Pedro,
>>
>> I have the whole Keycloak project locally (about to create a pull request
>> on a different bug). Can you point me towards where the Authz configuration
>> happens? I could take a look.
>>
>> On Mon, Mar 27, 2017 at 8:00 AM, Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>>> Hi Gabriel,
>>>
>>> I need to check this out. It has been a while from last time I checked
>>> AuthZ with Jetty.
>>>
>>> Regards.
>>> Pedro Igor
>>>
>>> On Fri, Mar 24, 2017 at 8:22 PM, Gabriel Trisca <gtrisca at cignifi.com>
>>> wrote:
>>>
>>>> Hello,
>>>>
>>>> I'm attempting to set up resource permission enforcement on a simple
>>>> Dropwizard application (Jersey->Jetty).
>>>>
>>>> I believe the PolicyEnforcer is set up correctly, because I see
>>>> debugging
>>>> info along these lines:
>>>>
>>>> DEBUG  [19:04:23.574] [dw-41] o.k.a.PreAuthActionsHandler -
>>>> adminRequest
>>>> http://localhost:9090/v1/XXXX
>>>> DEBUG  [19:04:23.601] [dw-41] o.k.a.j.c.JettyRequestAuthenticator -
>>>>  Completing bearer authentication. Bearer roles: [uma_authorization]
>>>> DEBUG  [19:04:23.601] [dw-41] o.k.a.RequestAuthenticator -  User
>>>> 'c9e8208e-56f5-42e0-9efb-f8d05600f5de' invoking '
>>>> http://localhost:9090/v1/XXXX' on client 'XXXX-api'
>>>> DEBUG  [19:04:23.601] [dw-41] o.k.a.RequestAuthenticator -  Bearer
>>>> AUTHENTICATED
>>>> DEBUG  [19:04:27.781] [dw-41] o.k.a.AuthenticatedActionsHandler -
>>>>  AuthenticatedActionsValve.invoke http://localhost:9090/v1/XXXX
>>>> DEBUG  [19:04:30.341] [dw-41] o.k.a.a.PolicyEnforcer -  Policy
>>>> enforcement
>>>> is enable. Enforcing policy decisions for path [
>>>> http://localhost:9090/v1/XXXX].
>>>> DEBUG  [19:05:22.741] [dw-41] o.k.a.a.AbstractPolicyEnforcer -  Checking
>>>> permissions for path [http://localhost:9090/v1/XXXX] with config
>>>> [PathConfig{name='XXXX Resources', type='uma:XXXXXX', path='/v1/XXXX/*',
>>>> scopes=[], id='43bd3cdf-c15b-487a-a259-79e8de00d764',
>>>> enforcerMode='ENFORCING'}].
>>>> DEBUG  [19:11:56.719] [dw-41] o.k.a.a.PolicyEnforcer -  Policy
>>>> enforcement
>>>> result for path [http://localhost:9090/v1/XXXX] is : DENIED
>>>> DEBUG  [19:11:56.719] [dw-41] o.k.a.a.PolicyEnforcer -  Returning
>>>> authorization context with permissions:
>>>> 127.0.0.1 - c9e8208e-56f5-42e0-9efb-f8d05600f5de [24/Mar/2017:23:11:56
>>>> +0000] "GET /v1/XXXX HTTP/1.1" 401 0 "-" "Mozilla/5.0 (X11; Linux
>>>> x86_64)
>>>> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87
>>>> Safari/537.36"
>>>> 453164
>>>>
>>>>
>>>> Specifically, the error occurs when Keycloak attempts to retrieve an
>>>> "Authorization" object from the AccessToken. This authorization object
>>>> is
>>>> always null and the permissions cannot be loaded.
>>>>
>>>> Without permissions, the request is marked as Unauthorized.
>>>>
>>>> Is there something that I'm missing here? As far as I know everything is
>>>> configured correctly, I can evaluate policies on the Keycloak admin
>>>> console, and the client is set up as access type "confidential". I can
>>>> see
>>>> the resource definitions from Keycloak being loaded when the app
>>>> launches.
>>>>
>>>> Any help greatly appreciated.
>>>>
>>>> --
>>>> *Gabriel Trisca, Software Developer*
>>>> Cignifi | 101 Main Street, 14th Floor, Cambridge, MA 02142  USA
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>
>>
>> --
>> *Gabriel Trisca, Software Developer*
>> Cignifi | 101 Main Street, 14th Floor, Cambridge, MA 02142  USA
>>
>
>


-- 
*Gabriel Trisca, Software Developer*
Cignifi | 101 Main Street, 14th Floor, Cambridge, MA 02142  USA

More information about the keycloak-user mailing list