[keycloak-user] keycloak 403 forbidden error while accessing rest resource where as evaluate api shows permit

keycloak demo testoauth55 at gmail.com
Thu Aug 9 23:31:35 EDT 2018 

Pedro, thanks for replying. I tried putting the absolute URI,but it does
not work either. The documentation anyway states that the URI in resource
can be relative to client root URL which I have configured to be
http://localhost:7200/{app}/keycloak , therefore putting  relateve URI
'/secure/role'
in resource should be equivalent to putting absolute URI :
http://localhost:7200/{app}/keycloak/secure/role'. Do you think, there is
something else I can try?

On Thu, Aug 9, 2018 at 6:01 PM, Pedro Igor Silva <psilva at redhat.com> wrote:

> Hi,
>
> Your configuration looks correct. But I noticed that in the postman
> request you are sending requests to `http://localhost:7200/{app}/
> keycloak/secure/role`
> <http://localhost:7200/%7Bapp%7D/keycloak/secure/role>. However in your
> resource definition the URI is configured to `/secure/role`. Both URIs
> should match otherwise the adapter won't be able to map the URI in your
> application to a resource in Keycloak (and related permissions).
>
> Regards.
> Pedro Igor
>
> On Thu, Aug 9, 2018 at 5:56 AM, keycloak demo <testoauth55 at gmail.com>
> wrote:
>
>> With all the configuration(shared below), when I test using the evaluate
>> option under authorization tab, result is permit:
>>
>> *But when I make a request to this resource through postman, I get 403.*
>>
>> *Which part of configuration is wrong which is leading to 403 error?*
>>
>> CONFIGURATION:
>>
>>
>> *Detailed configuration with images shown here:*
>>
>> *https://stackoverflow.com/questions/51761779/keycloak-403-
>> forbidden-error-while-accessing-rest-resource-where-as-evaluate-api
>> <https://stackoverflow.com/questions/51761779/keycloak-403-
>> forbidden-error-while-accessing-rest-resource-where-as-evaluate-api>*
>>
>> *1.* Following the  <goog_1387888133>
>> https://www.keycloak.org/docs/4.2/authorization_services/ , I created a
>> realm role : *role_special_user* and created a user : *user_special* with
>> this role and role *user*.
>>
>> *2.* Next, my resource server / client is with *full scope enabled*:
>> *3.* Under authorization tab, I created a resource  with the role based
>> policy is.
>>
>> *4.* Now, keycloak json is:
>>
>> {
>>   "realm": "demo12",
>>   "auth-server-url": "http://localhost:8180/auth",
>>   "ssl-required": "none",
>>   "resource": "server12",
>>   "credentials": {
>>     "secret": "XXXXXXX"
>>   },
>>   "confidential-port": 0,
>>   "policy-enforcer": {}}
>>
>> *5.* And Keycloak Jetty adapter configuration is:
>>
>> final String KEYCLOAK_JSON = Constants.KC_CONFIG_JSON_PATH;
>> InputStream is =
>> Thread.currentThread().getContextClassLoader().getResourceAs
>> Stream(KEYCLOAK_JSON);AdapterConfig
>> keyCloakConfig;ObjectMapper mapper = new ObjectMapper(new
>> SystemPropertiesJsonParserFactory());
>> mapper.setSerializationInclusion(JsonInclude.Include.NON_DEFAULT);
>> keyCloakConfig = mapper.readValue(is, AdapterConfig.class);
>> KeycloakJettyAuthenticator kcAuthenticator =
>> KeyCloakConfig;if(kcAuthenticator != null) {
>>     ConstraintSecurityHandler securityHandler = new
>> ConstraintSecurityHandler();
>>     ConstraintMapping constraintMapping = new ConstraintMapping();
>>     constraintMapping.setPathSpec("/*");
>>     Constraint constraint = new Constraint();
>>     constraint.setAuthenticate(true);
>>     constraint.setRoles(new String[]{"**"});
>>     constraintMapping.setConstraint(constraint);
>>     securityHandler.addConstraintMapping(constraintMapping);
>>     securityHandler.setAuthenticator(kcAuthenticator);
>>     context.setSecurityHandler(securityHandler);}
>>
>> *6.* Also, the decoded jwt token sample is:
>>
>> {
>>   "jti": "XXXXXXX",
>>   "exp": 1533798704,
>>   "nbf": 0,
>>   "iat": 1533798404,
>>   "iss": "http://localhost:8180/auth/realms/demo12",
>>   "aud": "server12",
>>   "sub": "XXXXXXX",
>>   "typ": "Bearer",
>>   "azp": "server12",
>>   "auth_time": 1533798404,
>>   "session_state": "XXXXXX",
>>   "acr": "1",
>>   "allowed-origins": [],
>>   "realm_access": {
>>     "roles": [
>>       "role_special_user",
>>       "offline_access",
>>       "uma_authorization",
>>       "user"
>>     ]
>>   },
>>   "resource_access": {
>>     "server12": {
>>       "roles": [
>>         "uma_protection"
>>       ]
>>     },
>>     "account": {
>>       "roles": [
>>         "manage-account",
>>         "manage-account-links",
>>         "view-profile"
>>       ]
>>     }
>>   },
>>   "scope": "openid email profile",
>>   "email_verified": false,
>>   "preferred_username": "user_special"}
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

More information about the keycloak-user mailing list