[keycloak-user] keycloak 403 forbidden error while accessing rest resource where as evaluate api shows permit
keycloak demo
testoauth55 at gmail.com
Tue Aug 28 01:37:58 EDT 2018
Thanks Pedro for the update.
Just to add details to my previous mail: From the sample app / quickstart
app-authz-jee-servlet
<https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-jee-servlet>:
I use *jdoe *user to login which has premium permissions, but when I debug,
I get only Protected resource in the permission list:
*Permission {id=1ace954c-3de5-4f33-83f7-2822ce2b35fe, name=Protected
Resource, scopes=[urn:servlet-authz:protected:resource:access]} *
Only change I have done in realm imported from sample is replace root &
base url in client: http://localhost:8080/authz-servlet with
http://localhost:7200/myapp
and the premium resource URI : /protected/premium/* with /secure/role/*
(The URL I am accessing with above config and user jdoe on my client app is
: http://localhost:7200/myapp/secure/role)
Could this be an issue that in my case my client app is running on a
different port (as it is outside the wildfly server that is running
keycloak)?
On Mon, Aug 27, 2018 at 7:30 PM Pedro Igor Silva <psilva at redhat.com> wrote:
> Hi,
>
> Thanks for continuing looking at this. Let's do this, I'll do the same
> steps using Jetty to reproduce the issue, will let you know during this
> week once I have something to share.
>
> Another weird thing is that the example actually should return all
> permissions and make them available after the login. Will check how this is
> working with Jetty too. The tests we have in the quickstarts are
> wildfly based ....
>
> On Mon, Aug 27, 2018 at 8:22 AM, keycloak demo <testoauth55 at gmail.com>
> wrote:
>
>> I have tried 1 more thing: I have imported realm from one of the keycloak
>> quickstarts
>> https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-jee-servlet and
>> only replaced the URLs with my application URLs.
>>
>> But I get the same error *if* I remove the resource containing URI as
>> */** (resource name is : *Protected Resource*). Furthermore, if i keep
>> this resource (/*), I am able to authorize a user but putting a debugger in
>> client app showed that authContext Permission list contains only 1 resource
>> i.e. Protected Resource. Although the user which authenticated was assigned
>> the role contained in resource name: Premium Resource. So ideally the
>> Permission list must have contained this resource as well. (I am
>> mentioning the names - Protected, Premium as mentioned in the keycloak
>> quick start). I put in /* URI in my original app and 403 stopped. But the
>> permission array contained only this resource (with URI /*)
>>
>> java.util.List<Permission> perms = authzContext.getPermissions();
>>
>> ********To summarize the above test:*********
>> *I get 403 error if a resource containing URI /* is not present. If a URI
>> containing /* is present, then I get only this resource in the Permissions
>> Array / List in the java client app even if the resource with specific URI
>> like /app/secure contains valid role/policy/permission. Also the evaluate
>> API available under Authorization option shows result as permit.*
>>
>> *Screenshots present
>> here: https://stackoverflow.com/questions/51761779/keycloak-403-forbidden-error-while-accessing-rest-resource-where-as-evaluate-api
>> <https://stackoverflow.com/questions/51761779/keycloak-403-forbidden-error-while-accessing-rest-resource-where-as-evaluate-api>*
>>
>>
>> On Mon, Aug 20, 2018 at 12:07 PM keycloak demo <testoauth55 at gmail.com>
>> wrote:
>>
>>> Pedro,
>>>
>>> Yes default permissions grant access to any resource in my application
>>> (uri == /*). But problem starts when I specify a resource with specific URI
>>> (as described in configuration in my previous email and also here: *https://stackoverflow.com/questions/51761779/keycloak-403-forbidden-error-while-accessing-rest-resource-where-as-evaluate-api
>>> <https://stackoverflow.com/questions/51761779/keycloak-403-forbidden-error-while-accessing-rest-resource-where-as-evaluate-api>*
>>> ).
>>>
>>> Just to summarize the real problem:
>>>
>>> Apart from default resource having `/*`, I have a second resource having
>>> URI: /secure/role/* and this resource also has a role based policy
>>> to allow access to only users having role "special", the expected behavior
>>> is the users who don't have role "special" should not be able to access
>>> this resource, right?
>>>
>>> But I am able to access this resource with any user, any role. So I
>>> thought that may be default resource URI with '/*' is overriding behavior
>>> of second resource, so I changed default resource URI to '/test/*', and
>>> then I started receiving 403 error for accessing both '/test' as well as
>>> second resource ' /secure/role/* ' for all users including user with
>>> "special" role assigned.
>>>
>>> I looked into realm resource configuration in one of the quick starts
>>> and the only difference I found was that quick start resources specify
>>> scope in each of resources whereas I have kept it blank. Could this be an
>>> issue.
>>>
>>> I understand you already spent time in trying to resolve this but
>>> problem still persists.
>>>
>>> On Fri, Aug 17, 2018 at 5:11 PM, Pedro Igor Silva <psilva at redhat.com>
>>> wrote:
>>>
>>>>
>>>>
>>>> On Fri, Aug 17, 2018 at 4:40 AM, keycloak demo <testoauth55 at gmail.com>
>>>> wrote:
>>>>
>>>>> Pedro,
>>>>>
>>>>> After further debugging I found out that following line in keycloak
>>>>> json is causing the issue: "policy-enforcer": {}. If I remove this
>>>>> line, then 403 error is removed but I guess doing this disables
>>>>> authorization altogether. 2 questions on this:
>>>>> 1. When I have configured policies on the Admin console under the
>>>>> authorization tab, why is this empty?
>>>>>
>>>>
>>>> I'm not sure. When you enable authorization services to a client
>>>> default resource/permissions are created. Where these permissions grant
>>>> access to any resource in your application (uri == /*).
>>>>
>>>>
>>>>> 2. Is there a way to put some default values (not manually) in here to
>>>>> make authorization work?
>>>>>
>>>>
>>>> Like I said, when you just enable the authorization services switch,
>>>> default settings are created automatically.
>>>>
>>>> Did you try to run any of our quickstarts ?
>>>>
>>>>
>>>>
>>>>>
>>>>> On Fri, Aug 10, 2018 at 5:17 PM, Pedro Igor Silva <psilva at redhat.com>
>>>>> wrote:
>>>>>
>>>>>> Yeah, it should be relative. I was wondering if the correct URI
>>>>>> would be '/keycloak/secure/role' instead.
>>>>>>
>>>>>> In any case, I would ask you to try the same deployment using tomcat
>>>>>> or wildfly to see how it goes. We have a few quickstarts running on these
>>>>>> two. Maybe you could also try to enable DEBUG log level to see how the
>>>>>> policy enforcer is matching URIs to your resources.
>>>>>>
>>>>>> If none of them work, I can give a try and run jetty.
>>>>>>
>>>>>> Regards.
>>>>>> Pedro Igor
>>>>>>
>>>>>> On Fri, Aug 10, 2018 at 12:31 AM, keycloak demo <
>>>>>> testoauth55 at gmail.com> wrote:
>>>>>>
>>>>>>> Pedro, thanks for replying. I tried putting the absolute URI,but it
>>>>>>> does not work either. The documentation anyway states that the URI in
>>>>>>> resource can be relative to client root URL which I have configured to be
>>>>>>> http://localhost:7200/{app}/keycloak , therefore putting relateve
>>>>>>> URI '/secure/role' in resource should be equivalent to putting
>>>>>>> absolute URI : http://localhost:7200/{app}/keycloak/secure/role'.
>>>>>>> Do you think, there is something else I can try?
>>>>>>>
>>>>>>> On Thu, Aug 9, 2018 at 6:01 PM, Pedro Igor Silva <psilva at redhat.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> Your configuration looks correct. But I noticed that in the postman
>>>>>>>> request you are sending requests to `
>>>>>>>> http://localhost:7200/{app}/keycloak/secure/role`
>>>>>>>> <http://localhost:7200/%7Bapp%7D/keycloak/secure/role>. However in
>>>>>>>> your resource definition the URI is configured to `/secure/role`. Both URIs
>>>>>>>> should match otherwise the adapter won't be able to map the URI in your
>>>>>>>> application to a resource in Keycloak (and related permissions).
>>>>>>>>
>>>>>>>> Regards.
>>>>>>>> Pedro Igor
>>>>>>>>
>>>>>>>> On Thu, Aug 9, 2018 at 5:56 AM, keycloak demo <
>>>>>>>> testoauth55 at gmail.com> wrote:
>>>>>>>>
>>>>>>>>> With all the configuration(shared below), when I test using the
>>>>>>>>> evaluate
>>>>>>>>> option under authorization tab, result is permit:
>>>>>>>>>
>>>>>>>>> *But when I make a request to this resource through postman, I get
>>>>>>>>> 403.*
>>>>>>>>>
>>>>>>>>> *Which part of configuration is wrong which is leading to 403
>>>>>>>>> error?*
>>>>>>>>>
>>>>>>>>> CONFIGURATION:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> *Detailed configuration with images shown here:*
>>>>>>>>>
>>>>>>>>> *
>>>>>>>>> https://stackoverflow.com/questions/51761779/keycloak-403-forbidden-error-while-accessing-rest-resource-where-as-evaluate-api
>>>>>>>>> <
>>>>>>>>> https://stackoverflow.com/questions/51761779/keycloak-403-forbidden-error-while-accessing-rest-resource-where-as-evaluate-api
>>>>>>>>> >*
>>>>>>>>>
>>>>>>>>> *1.* Following the <goog_1387888133>
>>>>>>>>> https://www.keycloak.org/docs/4.2/authorization_services/ , I
>>>>>>>>> created a
>>>>>>>>> realm role : *role_special_user* and created a user :
>>>>>>>>> *user_special* with
>>>>>>>>> this role and role *user*.
>>>>>>>>>
>>>>>>>>> *2.* Next, my resource server / client is with *full scope
>>>>>>>>> enabled*:
>>>>>>>>> *3.* Under authorization tab, I created a resource with the role
>>>>>>>>> based
>>>>>>>>> policy is.
>>>>>>>>>
>>>>>>>>> *4.* Now, keycloak json is:
>>>>>>>>>
>>>>>>>>> {
>>>>>>>>> "realm": "demo12",
>>>>>>>>> "auth-server-url": "http://localhost:8180/auth",
>>>>>>>>> "ssl-required": "none",
>>>>>>>>> "resource": "server12",
>>>>>>>>> "credentials": {
>>>>>>>>> "secret": "XXXXXXX"
>>>>>>>>> },
>>>>>>>>> "confidential-port": 0,
>>>>>>>>> "policy-enforcer": {}}
>>>>>>>>>
>>>>>>>>> *5.* And Keycloak Jetty adapter configuration is:
>>>>>>>>>
>>>>>>>>> final String KEYCLOAK_JSON = Constants.KC_CONFIG_JSON_PATH;
>>>>>>>>> InputStream is =
>>>>>>>>>
>>>>>>>>> Thread.currentThread().getContextClassLoader().getResourceAsStream(KEYCLOAK_JSON);AdapterConfig
>>>>>>>>> keyCloakConfig;ObjectMapper mapper = new ObjectMapper(new
>>>>>>>>> SystemPropertiesJsonParserFactory());
>>>>>>>>> mapper.setSerializationInclusion(JsonInclude.Include.NON_DEFAULT);
>>>>>>>>> keyCloakConfig = mapper.readValue(is, AdapterConfig.class);
>>>>>>>>> KeycloakJettyAuthenticator kcAuthenticator =
>>>>>>>>> KeyCloakConfig;if(kcAuthenticator != null) {
>>>>>>>>> ConstraintSecurityHandler securityHandler = new
>>>>>>>>> ConstraintSecurityHandler();
>>>>>>>>> ConstraintMapping constraintMapping = new ConstraintMapping();
>>>>>>>>> constraintMapping.setPathSpec("/*");
>>>>>>>>> Constraint constraint = new Constraint();
>>>>>>>>> constraint.setAuthenticate(true);
>>>>>>>>> constraint.setRoles(new String[]{"**"});
>>>>>>>>> constraintMapping.setConstraint(constraint);
>>>>>>>>> securityHandler.addConstraintMapping(constraintMapping);
>>>>>>>>> securityHandler.setAuthenticator(kcAuthenticator);
>>>>>>>>> context.setSecurityHandler(securityHandler);}
>>>>>>>>>
>>>>>>>>> *6.* Also, the decoded jwt token sample is:
>>>>>>>>>
>>>>>>>>> {
>>>>>>>>> "jti": "XXXXXXX",
>>>>>>>>> "exp": 1533798704,
>>>>>>>>> "nbf": 0,
>>>>>>>>> "iat": 1533798404,
>>>>>>>>> "iss": "http://localhost:8180/auth/realms/demo12",
>>>>>>>>> "aud": "server12",
>>>>>>>>> "sub": "XXXXXXX",
>>>>>>>>> "typ": "Bearer",
>>>>>>>>> "azp": "server12",
>>>>>>>>> "auth_time": 1533798404,
>>>>>>>>> "session_state": "XXXXXX",
>>>>>>>>> "acr": "1",
>>>>>>>>> "allowed-origins": [],
>>>>>>>>> "realm_access": {
>>>>>>>>> "roles": [
>>>>>>>>> "role_special_user",
>>>>>>>>> "offline_access",
>>>>>>>>> "uma_authorization",
>>>>>>>>> "user"
>>>>>>>>> ]
>>>>>>>>> },
>>>>>>>>> "resource_access": {
>>>>>>>>> "server12": {
>>>>>>>>> "roles": [
>>>>>>>>> "uma_protection"
>>>>>>>>> ]
>>>>>>>>> },
>>>>>>>>> "account": {
>>>>>>>>> "roles": [
>>>>>>>>> "manage-account",
>>>>>>>>> "manage-account-links",
>>>>>>>>> "view-profile"
>>>>>>>>> ]
>>>>>>>>> }
>>>>>>>>> },
>>>>>>>>> "scope": "openid email profile",
>>>>>>>>> "email_verified": false,
>>>>>>>>> "preferred_username": "user_special"}
>>>>>>>>> _______________________________________________
>>>>>>>>> keycloak-user mailing list
>>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>
More information about the keycloak-user
mailing list