[keycloak-user] keycloak 403 forbidden error while accessing rest resource where as evaluate api shows permit
Pedro Igor Silva
psilva at redhat.com
Thu Aug 9 08:31:02 EDT 2018
Hi,
Your configuration looks correct. But I noticed that in the postman request
you are sending requests to `
http://localhost:7200/{app}/keycloak/secure/role`. However in your resource
definition the URI is configured to `/secure/role`. Both URIs should match
otherwise the adapter won't be able to map the URI in your application to a
resource in Keycloak (and related permissions).
Regards.
Pedro Igor
On Thu, Aug 9, 2018 at 5:56 AM, keycloak demo <testoauth55 at gmail.com> wrote:
> With all the configuration(shared below), when I test using the evaluate
> option under authorization tab, result is permit:
>
> *But when I make a request to this resource through postman, I get 403.*
>
> *Which part of configuration is wrong which is leading to 403 error?*
>
> CONFIGURATION:
>
>
> *Detailed configuration with images shown here:*
>
> *https://stackoverflow.com/questions/51761779/keycloak-
> 403-forbidden-error-while-accessing-rest-resource-where-as-evaluate-api
> <https://stackoverflow.com/questions/51761779/keycloak-
> 403-forbidden-error-while-accessing-rest-resource-where-as-evaluate-api>*
>
> *1.* Following the <goog_1387888133>
> https://www.keycloak.org/docs/4.2/authorization_services/ , I created a
> realm role : *role_special_user* and created a user : *user_special* with
> this role and role *user*.
>
> *2.* Next, my resource server / client is with *full scope enabled*:
> *3.* Under authorization tab, I created a resource with the role based
> policy is.
>
> *4.* Now, keycloak json is:
>
> {
> "realm": "demo12",
> "auth-server-url": "http://localhost:8180/auth",
> "ssl-required": "none",
> "resource": "server12",
> "credentials": {
> "secret": "XXXXXXX"
> },
> "confidential-port": 0,
> "policy-enforcer": {}}
>
> *5.* And Keycloak Jetty adapter configuration is:
>
> final String KEYCLOAK_JSON = Constants.KC_CONFIG_JSON_PATH;
> InputStream is =
> Thread.currentThread().getContextClassLoader().
> getResourceAsStream(KEYCLOAK_JSON);AdapterConfig
> keyCloakConfig;ObjectMapper mapper = new ObjectMapper(new
> SystemPropertiesJsonParserFactory());
> mapper.setSerializationInclusion(JsonInclude.Include.NON_DEFAULT);
> keyCloakConfig = mapper.readValue(is, AdapterConfig.class);
> KeycloakJettyAuthenticator kcAuthenticator =
> KeyCloakConfig;if(kcAuthenticator != null) {
> ConstraintSecurityHandler securityHandler = new
> ConstraintSecurityHandler();
> ConstraintMapping constraintMapping = new ConstraintMapping();
> constraintMapping.setPathSpec("/*");
> Constraint constraint = new Constraint();
> constraint.setAuthenticate(true);
> constraint.setRoles(new String[]{"**"});
> constraintMapping.setConstraint(constraint);
> securityHandler.addConstraintMapping(constraintMapping);
> securityHandler.setAuthenticator(kcAuthenticator);
> context.setSecurityHandler(securityHandler);}
>
> *6.* Also, the decoded jwt token sample is:
>
> {
> "jti": "XXXXXXX",
> "exp": 1533798704,
> "nbf": 0,
> "iat": 1533798404,
> "iss": "http://localhost:8180/auth/realms/demo12",
> "aud": "server12",
> "sub": "XXXXXXX",
> "typ": "Bearer",
> "azp": "server12",
> "auth_time": 1533798404,
> "session_state": "XXXXXX",
> "acr": "1",
> "allowed-origins": [],
> "realm_access": {
> "roles": [
> "role_special_user",
> "offline_access",
> "uma_authorization",
> "user"
> ]
> },
> "resource_access": {
> "server12": {
> "roles": [
> "uma_protection"
> ]
> },
> "account": {
> "roles": [
> "manage-account",
> "manage-account-links",
> "view-profile"
> ]
> }
> },
> "scope": "openid email profile",
> "email_verified": false,
> "preferred_username": "user_special"}
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list