[keycloak-user] keycloak 403 forbidden error while accessing rest resource where as evaluate api shows permit

Thu Aug 9 04:56:32 EDT 2018

With all the configuration(shared below), when I test using the evaluate
option under authorization tab, result is permit:

*But when I make a request to this resource through postman, I get 403.*

*Which part of configuration is wrong which is leading to 403 error?*

CONFIGURATION:

*Detailed configuration with images shown here:*

*https://stackoverflow.com/questions/51761779/keycloak-403-forbidden-error-while-accessing-rest-resource-where-as-evaluate-api
<https://stackoverflow.com/questions/51761779/keycloak-403-forbidden-error-while-accessing-rest-resource-where-as-evaluate-api>*

*1.* Following the  <goog_1387888133>
https://www.keycloak.org/docs/4.2/authorization_services/ , I created a
realm role : *role_special_user* and created a user : *user_special* with
this role and role *user*.

*2.* Next, my resource server / client is with *full scope enabled*:
*3.* Under authorization tab, I created a resource  with the role based
policy is.

*4.* Now, keycloak json is:

{
  "realm": "demo12",
  "auth-server-url": "http://localhost:8180/auth",
  "ssl-required": "none",
  "resource": "server12",
  "credentials": {
    "secret": "XXXXXXX"
  },
  "confidential-port": 0,
  "policy-enforcer": {}}

*5.* And Keycloak Jetty adapter configuration is:

final String KEYCLOAK_JSON = Constants.KC_CONFIG_JSON_PATH;
InputStream is =
Thread.currentThread().getContextClassLoader().getResourceAsStream(KEYCLOAK_JSON);AdapterConfig
keyCloakConfig;ObjectMapper mapper = new ObjectMapper(new
SystemPropertiesJsonParserFactory());
mapper.setSerializationInclusion(JsonInclude.Include.NON_DEFAULT);
keyCloakConfig = mapper.readValue(is, AdapterConfig.class);
KeycloakJettyAuthenticator kcAuthenticator =
KeyCloakConfig;if(kcAuthenticator != null) {
    ConstraintSecurityHandler securityHandler = new ConstraintSecurityHandler();
    ConstraintMapping constraintMapping = new ConstraintMapping();
    constraintMapping.setPathSpec("/*");
    Constraint constraint = new Constraint();
    constraint.setAuthenticate(true);
    constraint.setRoles(new String[]{"**"});
    constraintMapping.setConstraint(constraint);
    securityHandler.addConstraintMapping(constraintMapping);
    securityHandler.setAuthenticator(kcAuthenticator);
    context.setSecurityHandler(securityHandler);}

*6.* Also, the decoded jwt token sample is:

{
  "jti": "XXXXXXX",
  "exp": 1533798704,
  "nbf": 0,
  "iat": 1533798404,
  "iss": "http://localhost:8180/auth/realms/demo12",
  "aud": "server12",
  "sub": "XXXXXXX",
  "typ": "Bearer",
  "azp": "server12",
  "auth_time": 1533798404,
  "session_state": "XXXXXX",
  "acr": "1",
  "allowed-origins": [],
  "realm_access": {
    "roles": [
      "role_special_user",
      "offline_access",
      "uma_authorization",
      "user"
    ]
  },
  "resource_access": {
    "server12": {
      "roles": [
        "uma_protection"
      ]
    },
    "account": {
      "roles": [
        "manage-account",
        "manage-account-links",
        "view-profile"
      ]
    }
  },
  "scope": "openid email profile",
  "email_verified": false,
  "preferred_username": "user_special"}