[keycloak-user] keycloak 403 forbidden error while accessing rest resource where as evaluate api shows permit

keycloak demo testoauth55 at gmail.com
Mon Aug 27 07:22:58 EDT 2018 

I have tried 1 more thing: I have imported realm from one of the keycloak
quickstarts
https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-jee-servlet
and
only replaced the URLs with my application URLs.

But I get the same error *if* I remove the resource containing URI as */**
(resource name is : *Protected Resource*). Furthermore, if i keep this
resource (/*), I am able to authorize a user but putting a debugger in
client app showed that authContext Permission list contains only 1 resource
i.e. Protected Resource. Although the user which authenticated was assigned
the role contained in resource name: Premium Resource. So ideally the
Permission list must have contained this resource as well.  (I am
mentioning the names - Protected, Premium as mentioned in the keycloak
quick start). I put in /* URI in my original app and 403 stopped. But the
permission array contained only this resource (with URI /*)

java.util.List<Permission> perms = authzContext.getPermissions();

********To summarize the above test:*********
*I get 403 error if a resource containing URI /* is not present. If a URI
containing /* is present, then I get only this resource in the Permissions
Array / List in the java client app even if the resource with specific URI
like /app/secure contains valid role/policy/permission. Also the evaluate
API available under Authorization option shows result as permit.*

*Screenshots present
here: https://stackoverflow.com/questions/51761779/keycloak-403-forbidden-error-while-accessing-rest-resource-where-as-evaluate-api
<https://stackoverflow.com/questions/51761779/keycloak-403-forbidden-error-while-accessing-rest-resource-where-as-evaluate-api>*


On Mon, Aug 20, 2018 at 12:07 PM keycloak demo <testoauth55 at gmail.com>
wrote:

> Pedro,
>
> Yes default permissions grant access to any resource in my application
> (uri == /*). But problem starts when I specify a resource with specific URI
> (as described in configuration in my previous email and also here: *https://stackoverflow.com/questions/51761779/keycloak-403-forbidden-error-while-accessing-rest-resource-where-as-evaluate-api
> <https://stackoverflow.com/questions/51761779/keycloak-403-forbidden-error-while-accessing-rest-resource-where-as-evaluate-api>*
> ).
>
> Just to summarize the real problem:
>
> Apart from default resource having `/*`, I have a second resource having
> URI:   /secure/role/*  and this resource also has a role based policy to
> allow access to only users having role "special", the expected behavior is
> the users who don't have role "special" should not be able to access this
> resource, right?
>
> But I am able to access this resource with any user, any role. So I
> thought that may be default resource URI with '/*' is overriding behavior
> of second resource, so I changed default resource URI to '/test/*', and
> then I started receiving 403 error for accessing both '/test' as well as
> second resource ' /secure/role/*  ' for all users including user with
> "special" role assigned.
>
> I looked into realm resource configuration in one of the quick starts and
> the only difference I found was that quick start resources specify scope in
> each of resources whereas I have kept it blank. Could this be an issue.
>
> I understand you already spent time in trying to resolve this but problem
> still persists.
>
> On Fri, Aug 17, 2018 at 5:11 PM, Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>>
>>
>> On Fri, Aug 17, 2018 at 4:40 AM, keycloak demo <testoauth55 at gmail.com>
>> wrote:
>>
>>> Pedro,
>>>
>>> After further debugging I found out that following line in keycloak json
>>> is causing the issue:  "policy-enforcer": {}. If I remove this line,
>>> then 403 error is removed but I guess doing this disables authorization
>>> altogether. 2 questions on this:
>>> 1. When I have configured policies on the Admin console under the
>>> authorization tab, why is this empty?
>>>
>>
>> I'm not sure. When you enable authorization services to a client default
>> resource/permissions are created. Where these permissions grant access to
>> any resource in your application (uri == /*).
>>
>>
>>> 2. Is there a way to put some default values (not manually) in here to
>>> make authorization work?
>>>
>>
>> Like I said, when you just enable the authorization services switch,
>> default settings are created automatically.
>>
>> Did you try to run any of our quickstarts ?
>>
>>
>>
>>>
>>> On Fri, Aug 10, 2018 at 5:17 PM, Pedro Igor Silva <psilva at redhat.com>
>>> wrote:
>>>
>>>> Yeah, it should be relative. I was wondering if the correct URI
>>>> would be '/keycloak/secure/role' instead.
>>>>
>>>> In any case, I would ask you to try the same deployment using tomcat or
>>>> wildfly to see how it goes. We have a few quickstarts running on these two.
>>>> Maybe you could also try to enable DEBUG log level to see how the policy
>>>> enforcer is matching URIs to your resources.
>>>>
>>>> If none of them work, I can give a try and run jetty.
>>>>
>>>> Regards.
>>>> Pedro Igor
>>>>
>>>> On Fri, Aug 10, 2018 at 12:31 AM, keycloak demo <testoauth55 at gmail.com>
>>>> wrote:
>>>>
>>>>> Pedro, thanks for replying. I tried putting the absolute URI,but it
>>>>> does not work either. The documentation anyway states that the URI in
>>>>> resource can be relative to client root URL which I have configured to be
>>>>> http://localhost:7200/{app}/keycloak , therefore putting  relateve
>>>>> URI '/secure/role' in resource should be equivalent to putting
>>>>> absolute URI :    http://localhost:7200/{app}/keycloak/secure/role'.
>>>>> Do you think, there is something else I can try?
>>>>>
>>>>> On Thu, Aug 9, 2018 at 6:01 PM, Pedro Igor Silva <psilva at redhat.com>
>>>>> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> Your configuration looks correct. But I noticed that in the postman
>>>>>> request you are sending requests to `
>>>>>> http://localhost:7200/{app}/keycloak/secure/role`
>>>>>> <http://localhost:7200/%7Bapp%7D/keycloak/secure/role>. However in
>>>>>> your resource definition the URI is configured to `/secure/role`. Both URIs
>>>>>> should match otherwise the adapter won't be able to map the URI in your
>>>>>> application to a resource in Keycloak (and related permissions).
>>>>>>
>>>>>> Regards.
>>>>>> Pedro Igor
>>>>>>
>>>>>> On Thu, Aug 9, 2018 at 5:56 AM, keycloak demo <testoauth55 at gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> With all the configuration(shared below), when I test using the
>>>>>>> evaluate
>>>>>>> option under authorization tab, result is permit:
>>>>>>>
>>>>>>> *But when I make a request to this resource through postman, I get
>>>>>>> 403.*
>>>>>>>
>>>>>>> *Which part of configuration is wrong which is leading to 403 error?*
>>>>>>>
>>>>>>> CONFIGURATION:
>>>>>>>
>>>>>>>
>>>>>>> *Detailed configuration with images shown here:*
>>>>>>>
>>>>>>> *
>>>>>>> https://stackoverflow.com/questions/51761779/keycloak-403-forbidden-error-while-accessing-rest-resource-where-as-evaluate-api
>>>>>>> <
>>>>>>> https://stackoverflow.com/questions/51761779/keycloak-403-forbidden-error-while-accessing-rest-resource-where-as-evaluate-api
>>>>>>> >*
>>>>>>>
>>>>>>> *1.* Following the  <goog_1387888133>
>>>>>>> https://www.keycloak.org/docs/4.2/authorization_services/ , I
>>>>>>> created a
>>>>>>> realm role : *role_special_user* and created a user : *user_special*
>>>>>>> with
>>>>>>> this role and role *user*.
>>>>>>>
>>>>>>> *2.* Next, my resource server / client is with *full scope enabled*:
>>>>>>> *3.* Under authorization tab, I created a resource  with the role
>>>>>>> based
>>>>>>> policy is.
>>>>>>>
>>>>>>> *4.* Now, keycloak json is:
>>>>>>>
>>>>>>> {
>>>>>>>   "realm": "demo12",
>>>>>>>   "auth-server-url": "http://localhost:8180/auth",
>>>>>>>   "ssl-required": "none",
>>>>>>>   "resource": "server12",
>>>>>>>   "credentials": {
>>>>>>>     "secret": "XXXXXXX"
>>>>>>>   },
>>>>>>>   "confidential-port": 0,
>>>>>>>   "policy-enforcer": {}}
>>>>>>>
>>>>>>> *5.* And Keycloak Jetty adapter configuration is:
>>>>>>>
>>>>>>> final String KEYCLOAK_JSON = Constants.KC_CONFIG_JSON_PATH;
>>>>>>> InputStream is =
>>>>>>>
>>>>>>> Thread.currentThread().getContextClassLoader().getResourceAsStream(KEYCLOAK_JSON);AdapterConfig
>>>>>>> keyCloakConfig;ObjectMapper mapper = new ObjectMapper(new
>>>>>>> SystemPropertiesJsonParserFactory());
>>>>>>> mapper.setSerializationInclusion(JsonInclude.Include.NON_DEFAULT);
>>>>>>> keyCloakConfig = mapper.readValue(is, AdapterConfig.class);
>>>>>>> KeycloakJettyAuthenticator kcAuthenticator =
>>>>>>> KeyCloakConfig;if(kcAuthenticator != null) {
>>>>>>>     ConstraintSecurityHandler securityHandler = new
>>>>>>> ConstraintSecurityHandler();
>>>>>>>     ConstraintMapping constraintMapping = new ConstraintMapping();
>>>>>>>     constraintMapping.setPathSpec("/*");
>>>>>>>     Constraint constraint = new Constraint();
>>>>>>>     constraint.setAuthenticate(true);
>>>>>>>     constraint.setRoles(new String[]{"**"});
>>>>>>>     constraintMapping.setConstraint(constraint);
>>>>>>>     securityHandler.addConstraintMapping(constraintMapping);
>>>>>>>     securityHandler.setAuthenticator(kcAuthenticator);
>>>>>>>     context.setSecurityHandler(securityHandler);}
>>>>>>>
>>>>>>> *6.* Also, the decoded jwt token sample is:
>>>>>>>
>>>>>>> {
>>>>>>>   "jti": "XXXXXXX",
>>>>>>>   "exp": 1533798704,
>>>>>>>   "nbf": 0,
>>>>>>>   "iat": 1533798404,
>>>>>>>   "iss": "http://localhost:8180/auth/realms/demo12",
>>>>>>>   "aud": "server12",
>>>>>>>   "sub": "XXXXXXX",
>>>>>>>   "typ": "Bearer",
>>>>>>>   "azp": "server12",
>>>>>>>   "auth_time": 1533798404,
>>>>>>>   "session_state": "XXXXXX",
>>>>>>>   "acr": "1",
>>>>>>>   "allowed-origins": [],
>>>>>>>   "realm_access": {
>>>>>>>     "roles": [
>>>>>>>       "role_special_user",
>>>>>>>       "offline_access",
>>>>>>>       "uma_authorization",
>>>>>>>       "user"
>>>>>>>     ]
>>>>>>>   },
>>>>>>>   "resource_access": {
>>>>>>>     "server12": {
>>>>>>>       "roles": [
>>>>>>>         "uma_protection"
>>>>>>>       ]
>>>>>>>     },
>>>>>>>     "account": {
>>>>>>>       "roles": [
>>>>>>>         "manage-account",
>>>>>>>         "manage-account-links",
>>>>>>>         "view-profile"
>>>>>>>       ]
>>>>>>>     }
>>>>>>>   },
>>>>>>>   "scope": "openid email profile",
>>>>>>>   "email_verified": false,
>>>>>>>   "preferred_username": "user_special"}
>>>>>>> _______________________________________________
>>>>>>> keycloak-user mailing list
>>>>>>> keycloak-user at lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>

More information about the keycloak-user mailing list