[keycloak-user] keycloak 403 forbidden error while accessing rest resource where as evaluate api shows permit
Pedro Igor Silva
psilva at redhat.com
Fri Aug 17 07:41:12 EDT 2018
On Fri, Aug 17, 2018 at 4:40 AM, keycloak demo <testoauth55 at gmail.com>
wrote:
> Pedro,
>
> After further debugging I found out that following line in keycloak json
> is causing the issue: "policy-enforcer": {}. If I remove this line, then
> 403 error is removed but I guess doing this disables authorization
> altogether. 2 questions on this:
> 1. When I have configured policies on the Admin console under the
> authorization tab, why is this empty?
>
I'm not sure. When you enable authorization services to a client default
resource/permissions are created. Where these permissions grant access to
any resource in your application (uri == /*).
> 2. Is there a way to put some default values (not manually) in here to
> make authorization work?
>
Like I said, when you just enable the authorization services switch,
default settings are created automatically.
Did you try to run any of our quickstarts ?
>
> On Fri, Aug 10, 2018 at 5:17 PM, Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> Yeah, it should be relative. I was wondering if the correct URI would be
>> '/keycloak/secure/role' instead.
>>
>> In any case, I would ask you to try the same deployment using tomcat or
>> wildfly to see how it goes. We have a few quickstarts running on these two.
>> Maybe you could also try to enable DEBUG log level to see how the policy
>> enforcer is matching URIs to your resources.
>>
>> If none of them work, I can give a try and run jetty.
>>
>> Regards.
>> Pedro Igor
>>
>> On Fri, Aug 10, 2018 at 12:31 AM, keycloak demo <testoauth55 at gmail.com>
>> wrote:
>>
>>> Pedro, thanks for replying. I tried putting the absolute URI,but it does
>>> not work either. The documentation anyway states that the URI in resource
>>> can be relative to client root URL which I have configured to be
>>> http://localhost:7200/{app}/keycloak , therefore putting relateve URI '/secure/role'
>>> in resource should be equivalent to putting absolute URI :
>>> http://localhost:7200/{app}/keycloak/secure/role'. Do you think, there
>>> is something else I can try?
>>>
>>> On Thu, Aug 9, 2018 at 6:01 PM, Pedro Igor Silva <psilva at redhat.com>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> Your configuration looks correct. But I noticed that in the postman
>>>> request you are sending requests to `http://localhost:7200/{app}/k
>>>> eycloak/secure/role`
>>>> <http://localhost:7200/%7Bapp%7D/keycloak/secure/role>. However in
>>>> your resource definition the URI is configured to `/secure/role`. Both URIs
>>>> should match otherwise the adapter won't be able to map the URI in your
>>>> application to a resource in Keycloak (and related permissions).
>>>>
>>>> Regards.
>>>> Pedro Igor
>>>>
>>>> On Thu, Aug 9, 2018 at 5:56 AM, keycloak demo <testoauth55 at gmail.com>
>>>> wrote:
>>>>
>>>>> With all the configuration(shared below), when I test using the
>>>>> evaluate
>>>>> option under authorization tab, result is permit:
>>>>>
>>>>> *But when I make a request to this resource through postman, I get
>>>>> 403.*
>>>>>
>>>>> *Which part of configuration is wrong which is leading to 403 error?*
>>>>>
>>>>> CONFIGURATION:
>>>>>
>>>>>
>>>>> *Detailed configuration with images shown here:*
>>>>>
>>>>> *https://stackoverflow.com/questions/51761779/keycloak-403-f
>>>>> orbidden-error-while-accessing-rest-resource-where-as-evaluate-api
>>>>> <https://stackoverflow.com/questions/51761779/keycloak-403-f
>>>>> orbidden-error-while-accessing-rest-resource-where-as-evaluate-api>*
>>>>>
>>>>> *1.* Following the <goog_1387888133>
>>>>> https://www.keycloak.org/docs/4.2/authorization_services/ , I created
>>>>> a
>>>>> realm role : *role_special_user* and created a user : *user_special*
>>>>> with
>>>>> this role and role *user*.
>>>>>
>>>>> *2.* Next, my resource server / client is with *full scope enabled*:
>>>>> *3.* Under authorization tab, I created a resource with the role based
>>>>> policy is.
>>>>>
>>>>> *4.* Now, keycloak json is:
>>>>>
>>>>> {
>>>>> "realm": "demo12",
>>>>> "auth-server-url": "http://localhost:8180/auth",
>>>>> "ssl-required": "none",
>>>>> "resource": "server12",
>>>>> "credentials": {
>>>>> "secret": "XXXXXXX"
>>>>> },
>>>>> "confidential-port": 0,
>>>>> "policy-enforcer": {}}
>>>>>
>>>>> *5.* And Keycloak Jetty adapter configuration is:
>>>>>
>>>>> final String KEYCLOAK_JSON = Constants.KC_CONFIG_JSON_PATH;
>>>>> InputStream is =
>>>>> Thread.currentThread().getContextClassLoader().getResourceAs
>>>>> Stream(KEYCLOAK_JSON);AdapterConfig
>>>>> keyCloakConfig;ObjectMapper mapper = new ObjectMapper(new
>>>>> SystemPropertiesJsonParserFactory());
>>>>> mapper.setSerializationInclusion(JsonInclude.Include.NON_DEFAULT);
>>>>> keyCloakConfig = mapper.readValue(is, AdapterConfig.class);
>>>>> KeycloakJettyAuthenticator kcAuthenticator =
>>>>> KeyCloakConfig;if(kcAuthenticator != null) {
>>>>> ConstraintSecurityHandler securityHandler = new
>>>>> ConstraintSecurityHandler();
>>>>> ConstraintMapping constraintMapping = new ConstraintMapping();
>>>>> constraintMapping.setPathSpec("/*");
>>>>> Constraint constraint = new Constraint();
>>>>> constraint.setAuthenticate(true);
>>>>> constraint.setRoles(new String[]{"**"});
>>>>> constraintMapping.setConstraint(constraint);
>>>>> securityHandler.addConstraintMapping(constraintMapping);
>>>>> securityHandler.setAuthenticator(kcAuthenticator);
>>>>> context.setSecurityHandler(securityHandler);}
>>>>>
>>>>> *6.* Also, the decoded jwt token sample is:
>>>>>
>>>>> {
>>>>> "jti": "XXXXXXX",
>>>>> "exp": 1533798704,
>>>>> "nbf": 0,
>>>>> "iat": 1533798404,
>>>>> "iss": "http://localhost:8180/auth/realms/demo12",
>>>>> "aud": "server12",
>>>>> "sub": "XXXXXXX",
>>>>> "typ": "Bearer",
>>>>> "azp": "server12",
>>>>> "auth_time": 1533798404,
>>>>> "session_state": "XXXXXX",
>>>>> "acr": "1",
>>>>> "allowed-origins": [],
>>>>> "realm_access": {
>>>>> "roles": [
>>>>> "role_special_user",
>>>>> "offline_access",
>>>>> "uma_authorization",
>>>>> "user"
>>>>> ]
>>>>> },
>>>>> "resource_access": {
>>>>> "server12": {
>>>>> "roles": [
>>>>> "uma_protection"
>>>>> ]
>>>>> },
>>>>> "account": {
>>>>> "roles": [
>>>>> "manage-account",
>>>>> "manage-account-links",
>>>>> "view-profile"
>>>>> ]
>>>>> }
>>>>> },
>>>>> "scope": "openid email profile",
>>>>> "email_verified": false,
>>>>> "preferred_username": "user_special"}
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>>
>>>
>>
>
More information about the keycloak-user
mailing list