[keycloak-user] keycloak 403 forbidden error while accessing rest resource where as evaluate api shows permit
keycloak demo
testoauth55 at gmail.com
Thu Aug 9 04:56:32 EDT 2018
With all the configuration(shared below), when I test using the evaluate
option under authorization tab, result is permit:
*But when I make a request to this resource through postman, I get 403.*
*Which part of configuration is wrong which is leading to 403 error?*
CONFIGURATION:
*Detailed configuration with images shown here:*
*https://stackoverflow.com/questions/51761779/keycloak-403-forbidden-error-while-accessing-rest-resource-where-as-evaluate-api
<https://stackoverflow.com/questions/51761779/keycloak-403-forbidden-error-while-accessing-rest-resource-where-as-evaluate-api>*
*1.* Following the <goog_1387888133>
https://www.keycloak.org/docs/4.2/authorization_services/ , I created a
realm role : *role_special_user* and created a user : *user_special* with
this role and role *user*.
*2.* Next, my resource server / client is with *full scope enabled*:
*3.* Under authorization tab, I created a resource with the role based
policy is.
*4.* Now, keycloak json is:
{
"realm": "demo12",
"auth-server-url": "http://localhost:8180/auth",
"ssl-required": "none",
"resource": "server12",
"credentials": {
"secret": "XXXXXXX"
},
"confidential-port": 0,
"policy-enforcer": {}}
*5.* And Keycloak Jetty adapter configuration is:
final String KEYCLOAK_JSON = Constants.KC_CONFIG_JSON_PATH;
InputStream is =
Thread.currentThread().getContextClassLoader().getResourceAsStream(KEYCLOAK_JSON);AdapterConfig
keyCloakConfig;ObjectMapper mapper = new ObjectMapper(new
SystemPropertiesJsonParserFactory());
mapper.setSerializationInclusion(JsonInclude.Include.NON_DEFAULT);
keyCloakConfig = mapper.readValue(is, AdapterConfig.class);
KeycloakJettyAuthenticator kcAuthenticator =
KeyCloakConfig;if(kcAuthenticator != null) {
ConstraintSecurityHandler securityHandler = new ConstraintSecurityHandler();
ConstraintMapping constraintMapping = new ConstraintMapping();
constraintMapping.setPathSpec("/*");
Constraint constraint = new Constraint();
constraint.setAuthenticate(true);
constraint.setRoles(new String[]{"**"});
constraintMapping.setConstraint(constraint);
securityHandler.addConstraintMapping(constraintMapping);
securityHandler.setAuthenticator(kcAuthenticator);
context.setSecurityHandler(securityHandler);}
*6.* Also, the decoded jwt token sample is:
{
"jti": "XXXXXXX",
"exp": 1533798704,
"nbf": 0,
"iat": 1533798404,
"iss": "http://localhost:8180/auth/realms/demo12",
"aud": "server12",
"sub": "XXXXXXX",
"typ": "Bearer",
"azp": "server12",
"auth_time": 1533798404,
"session_state": "XXXXXX",
"acr": "1",
"allowed-origins": [],
"realm_access": {
"roles": [
"role_special_user",
"offline_access",
"uma_authorization",
"user"
]
},
"resource_access": {
"server12": {
"roles": [
"uma_protection"
]
},
"account": {
"roles": [
"manage-account",
"manage-account-links",
"view-profile"
]
}
},
"scope": "openid email profile",
"email_verified": false,
"preferred_username": "user_special"}
More information about the keycloak-user
mailing list