[keycloak-user] keycloak 403 forbidden error while accessing rest resource where as evaluate api shows permit
keycloak demo
testoauth55 at gmail.com
Fri Aug 17 03:40:05 EDT 2018
Pedro,
After further debugging I found out that following line in keycloak json is
causing the issue: "policy-enforcer": {}. If I remove this line, then 403
error is removed but I guess doing this disables authorization altogether.
2 questions on this:
1. When I have configured policies on the Admin console under the
authorization tab, why is this empty?
2. Is there a way to put some default values (not manually) in here to make
authorization work?
On Fri, Aug 10, 2018 at 5:17 PM, Pedro Igor Silva <psilva at redhat.com> wrote:
> Yeah, it should be relative. I was wondering if the correct URI would be
> '/keycloak/secure/role' instead.
>
> In any case, I would ask you to try the same deployment using tomcat or
> wildfly to see how it goes. We have a few quickstarts running on these two.
> Maybe you could also try to enable DEBUG log level to see how the policy
> enforcer is matching URIs to your resources.
>
> If none of them work, I can give a try and run jetty.
>
> Regards.
> Pedro Igor
>
> On Fri, Aug 10, 2018 at 12:31 AM, keycloak demo <testoauth55 at gmail.com>
> wrote:
>
>> Pedro, thanks for replying. I tried putting the absolute URI,but it does
>> not work either. The documentation anyway states that the URI in resource
>> can be relative to client root URL which I have configured to be
>> http://localhost:7200/{app}/keycloak , therefore putting relateve URI '/secure/role'
>> in resource should be equivalent to putting absolute URI :
>> http://localhost:7200/{app}/keycloak/secure/role'. Do you think, there
>> is something else I can try?
>>
>> On Thu, Aug 9, 2018 at 6:01 PM, Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>>> Hi,
>>>
>>> Your configuration looks correct. But I noticed that in the postman
>>> request you are sending requests to `http://localhost:7200/{app}/k
>>> eycloak/secure/role`
>>> <http://localhost:7200/%7Bapp%7D/keycloak/secure/role>. However in your
>>> resource definition the URI is configured to `/secure/role`. Both URIs
>>> should match otherwise the adapter won't be able to map the URI in your
>>> application to a resource in Keycloak (and related permissions).
>>>
>>> Regards.
>>> Pedro Igor
>>>
>>> On Thu, Aug 9, 2018 at 5:56 AM, keycloak demo <testoauth55 at gmail.com>
>>> wrote:
>>>
>>>> With all the configuration(shared below), when I test using the evaluate
>>>> option under authorization tab, result is permit:
>>>>
>>>> *But when I make a request to this resource through postman, I get 403.*
>>>>
>>>> *Which part of configuration is wrong which is leading to 403 error?*
>>>>
>>>> CONFIGURATION:
>>>>
>>>>
>>>> *Detailed configuration with images shown here:*
>>>>
>>>> *https://stackoverflow.com/questions/51761779/keycloak-403-f
>>>> orbidden-error-while-accessing-rest-resource-where-as-evaluate-api
>>>> <https://stackoverflow.com/questions/51761779/keycloak-403-f
>>>> orbidden-error-while-accessing-rest-resource-where-as-evaluate-api>*
>>>>
>>>> *1.* Following the <goog_1387888133>
>>>> https://www.keycloak.org/docs/4.2/authorization_services/ , I created a
>>>> realm role : *role_special_user* and created a user : *user_special*
>>>> with
>>>> this role and role *user*.
>>>>
>>>> *2.* Next, my resource server / client is with *full scope enabled*:
>>>> *3.* Under authorization tab, I created a resource with the role based
>>>> policy is.
>>>>
>>>> *4.* Now, keycloak json is:
>>>>
>>>> {
>>>> "realm": "demo12",
>>>> "auth-server-url": "http://localhost:8180/auth",
>>>> "ssl-required": "none",
>>>> "resource": "server12",
>>>> "credentials": {
>>>> "secret": "XXXXXXX"
>>>> },
>>>> "confidential-port": 0,
>>>> "policy-enforcer": {}}
>>>>
>>>> *5.* And Keycloak Jetty adapter configuration is:
>>>>
>>>> final String KEYCLOAK_JSON = Constants.KC_CONFIG_JSON_PATH;
>>>> InputStream is =
>>>> Thread.currentThread().getContextClassLoader().getResourceAs
>>>> Stream(KEYCLOAK_JSON);AdapterConfig
>>>> keyCloakConfig;ObjectMapper mapper = new ObjectMapper(new
>>>> SystemPropertiesJsonParserFactory());
>>>> mapper.setSerializationInclusion(JsonInclude.Include.NON_DEFAULT);
>>>> keyCloakConfig = mapper.readValue(is, AdapterConfig.class);
>>>> KeycloakJettyAuthenticator kcAuthenticator =
>>>> KeyCloakConfig;if(kcAuthenticator != null) {
>>>> ConstraintSecurityHandler securityHandler = new
>>>> ConstraintSecurityHandler();
>>>> ConstraintMapping constraintMapping = new ConstraintMapping();
>>>> constraintMapping.setPathSpec("/*");
>>>> Constraint constraint = new Constraint();
>>>> constraint.setAuthenticate(true);
>>>> constraint.setRoles(new String[]{"**"});
>>>> constraintMapping.setConstraint(constraint);
>>>> securityHandler.addConstraintMapping(constraintMapping);
>>>> securityHandler.setAuthenticator(kcAuthenticator);
>>>> context.setSecurityHandler(securityHandler);}
>>>>
>>>> *6.* Also, the decoded jwt token sample is:
>>>>
>>>> {
>>>> "jti": "XXXXXXX",
>>>> "exp": 1533798704,
>>>> "nbf": 0,
>>>> "iat": 1533798404,
>>>> "iss": "http://localhost:8180/auth/realms/demo12",
>>>> "aud": "server12",
>>>> "sub": "XXXXXXX",
>>>> "typ": "Bearer",
>>>> "azp": "server12",
>>>> "auth_time": 1533798404,
>>>> "session_state": "XXXXXX",
>>>> "acr": "1",
>>>> "allowed-origins": [],
>>>> "realm_access": {
>>>> "roles": [
>>>> "role_special_user",
>>>> "offline_access",
>>>> "uma_authorization",
>>>> "user"
>>>> ]
>>>> },
>>>> "resource_access": {
>>>> "server12": {
>>>> "roles": [
>>>> "uma_protection"
>>>> ]
>>>> },
>>>> "account": {
>>>> "roles": [
>>>> "manage-account",
>>>> "manage-account-links",
>>>> "view-profile"
>>>> ]
>>>> }
>>>> },
>>>> "scope": "openid email profile",
>>>> "email_verified": false,
>>>> "preferred_username": "user_special"}
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>
>
More information about the keycloak-user
mailing list