[keycloak-user] keycloak 403 forbidden error while accessing rest resource where as evaluate api shows permit

Pedro Igor Silva psilva at redhat.com
Fri Aug 10 07:47:20 EDT 2018 

Yeah, it should be relative. I was wondering if the correct URI would be
'/keycloak/secure/role' instead.

In any case, I would ask you to try the same deployment using tomcat or
wildfly to see how it goes. We have a few quickstarts running on these two.
Maybe you could also try to enable DEBUG log level to see how the policy
enforcer is matching URIs to your resources.

If none of them work, I can give a try and run jetty.

Regards.
Pedro Igor

On Fri, Aug 10, 2018 at 12:31 AM, keycloak demo <testoauth55 at gmail.com>
wrote:

> Pedro, thanks for replying. I tried putting the absolute URI,but it does
> not work either. The documentation anyway states that the URI in resource
> can be relative to client root URL which I have configured to be
> http://localhost:7200/{app}/keycloak , therefore putting  relateve URI '/secure/role'
> in resource should be equivalent to putting absolute URI :
> http://localhost:7200/{app}/keycloak/secure/role'. Do you think, there is
> something else I can try?
>
> On Thu, Aug 9, 2018 at 6:01 PM, Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> Hi,
>>
>> Your configuration looks correct. But I noticed that in the postman
>> request you are sending requests to `http://localhost:7200/{app}/k
>> eycloak/secure/role`
>> <http://localhost:7200/%7Bapp%7D/keycloak/secure/role>. However in your
>> resource definition the URI is configured to `/secure/role`. Both URIs
>> should match otherwise the adapter won't be able to map the URI in your
>> application to a resource in Keycloak (and related permissions).
>>
>> Regards.
>> Pedro Igor
>>
>> On Thu, Aug 9, 2018 at 5:56 AM, keycloak demo <testoauth55 at gmail.com>
>> wrote:
>>
>>> With all the configuration(shared below), when I test using the evaluate
>>> option under authorization tab, result is permit:
>>>
>>> *But when I make a request to this resource through postman, I get 403.*
>>>
>>> *Which part of configuration is wrong which is leading to 403 error?*
>>>
>>> CONFIGURATION:
>>>
>>>
>>> *Detailed configuration with images shown here:*
>>>
>>> *https://stackoverflow.com/questions/51761779/keycloak-403-f
>>> orbidden-error-while-accessing-rest-resource-where-as-evaluate-api
>>> <https://stackoverflow.com/questions/51761779/keycloak-403-f
>>> orbidden-error-while-accessing-rest-resource-where-as-evaluate-api>*
>>>
>>> *1.* Following the  <goog_1387888133>
>>> https://www.keycloak.org/docs/4.2/authorization_services/ , I created a
>>> realm role : *role_special_user* and created a user : *user_special* with
>>> this role and role *user*.
>>>
>>> *2.* Next, my resource server / client is with *full scope enabled*:
>>> *3.* Under authorization tab, I created a resource  with the role based
>>> policy is.
>>>
>>> *4.* Now, keycloak json is:
>>>
>>> {
>>>   "realm": "demo12",
>>>   "auth-server-url": "http://localhost:8180/auth",
>>>   "ssl-required": "none",
>>>   "resource": "server12",
>>>   "credentials": {
>>>     "secret": "XXXXXXX"
>>>   },
>>>   "confidential-port": 0,
>>>   "policy-enforcer": {}}
>>>
>>> *5.* And Keycloak Jetty adapter configuration is:
>>>
>>> final String KEYCLOAK_JSON = Constants.KC_CONFIG_JSON_PATH;
>>> InputStream is =
>>> Thread.currentThread().getContextClassLoader().getResourceAs
>>> Stream(KEYCLOAK_JSON);AdapterConfig
>>> keyCloakConfig;ObjectMapper mapper = new ObjectMapper(new
>>> SystemPropertiesJsonParserFactory());
>>> mapper.setSerializationInclusion(JsonInclude.Include.NON_DEFAULT);
>>> keyCloakConfig = mapper.readValue(is, AdapterConfig.class);
>>> KeycloakJettyAuthenticator kcAuthenticator =
>>> KeyCloakConfig;if(kcAuthenticator != null) {
>>>     ConstraintSecurityHandler securityHandler = new
>>> ConstraintSecurityHandler();
>>>     ConstraintMapping constraintMapping = new ConstraintMapping();
>>>     constraintMapping.setPathSpec("/*");
>>>     Constraint constraint = new Constraint();
>>>     constraint.setAuthenticate(true);
>>>     constraint.setRoles(new String[]{"**"});
>>>     constraintMapping.setConstraint(constraint);
>>>     securityHandler.addConstraintMapping(constraintMapping);
>>>     securityHandler.setAuthenticator(kcAuthenticator);
>>>     context.setSecurityHandler(securityHandler);}
>>>
>>> *6.* Also, the decoded jwt token sample is:
>>>
>>> {
>>>   "jti": "XXXXXXX",
>>>   "exp": 1533798704,
>>>   "nbf": 0,
>>>   "iat": 1533798404,
>>>   "iss": "http://localhost:8180/auth/realms/demo12",
>>>   "aud": "server12",
>>>   "sub": "XXXXXXX",
>>>   "typ": "Bearer",
>>>   "azp": "server12",
>>>   "auth_time": 1533798404,
>>>   "session_state": "XXXXXX",
>>>   "acr": "1",
>>>   "allowed-origins": [],
>>>   "realm_access": {
>>>     "roles": [
>>>       "role_special_user",
>>>       "offline_access",
>>>       "uma_authorization",
>>>       "user"
>>>     ]
>>>   },
>>>   "resource_access": {
>>>     "server12": {
>>>       "roles": [
>>>         "uma_protection"
>>>       ]
>>>     },
>>>     "account": {
>>>       "roles": [
>>>         "manage-account",
>>>         "manage-account-links",
>>>         "view-profile"
>>>       ]
>>>     }
>>>   },
>>>   "scope": "openid email profile",
>>>   "email_verified": false,
>>>   "preferred_username": "user_special"}
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>

More information about the keycloak-user mailing list