[keycloak-user] keycloak 403 forbidden error while accessing rest resource where as evaluate api shows permit

keycloak demo testoauth55 at gmail.com
Tue Aug 28 11:27:20 EDT 2018 

Thanks Pedro for quick turnaround.

I have taken keycloak 4.3 installation. I imported the new realm and ran
the app. However, still facing the same issue.* I am able to login with
special user. But I am also able to login with jdoe (premium user) and
alice(normal user) when actually only special user should be allowed and
other 2 denied.* Also, in all 3 cases , I get only 1 item in permission
list i.e. Protected resource ( resource having with URI : */**):

[Permission {id=ce71e506-d2f5-4c8b-8c2b-00f282bfb7d5, name=Protected
Resource, scopes=[urn:servlet-authz:protected:resource:access]}]

*ALSO, I had to make a couple of changes for realm to work:*

*1.* Just like I mentioned in my previous email, I changed port number in
the client URLs to 7200 as my app is running on jetty on a different port
outside keycloak. *(Could this be the reason that app is running on a
different port and keycloak/wildfly is running on a different port? )*

*2.* Second change I did was make Valid redirect URI as * in Client
settings.I was getting 400 on specifying: http://localhost:7200/myapp/* *(could
this be an issue?) *

NOTE: 403 would start coming if I delete resource named  Protected Resource.


On Tue, Aug 28, 2018 at 7:20 PM Pedro Igor Silva <psilva at redhat.com> wrote:

> Hi,
>
> Could you please check changes I did in this branch
> https://github.com/pedroigor/keycloak-quickstarts/tree/tmp ?
>
> Basically, I have modified the realm settings to :
>
> * Include a new user granted with a "special" realm role
> * Included a new "Special Resource" mapping to "/secure/role/*"
> * Include permission for "Special Resource" granting access only for users
> with "special" role
>
> It seems to be working fine, but maybe I'm still missing something. Would
> be nice if you could look at my changes, import the realm settings and
> check how it is working.
>
> In addition to that, could you please try running Keycloak 4.3.0.Final ?
>
> Regards.
> Pedro Igor
>
>
> On Tue, Aug 28, 2018 at 2:37 AM, keycloak demo <testoauth55 at gmail.com>
> wrote:
>
>> Thanks Pedro for the update.
>>
>> Just to add details to my previous mail: From the sample app / quickstart
>> app-authz-jee-servlet
>> <https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-jee-servlet>:
>> I use *jdoe *user to login which has premium permissions, but when I
>> debug, I get only Protected resource in the permission list:
>>
>> *Permission {id=1ace954c-3de5-4f33-83f7-2822ce2b35fe, name=Protected
>> Resource, scopes=[urn:servlet-authz:protected:resource:access]} *
>>
>> Only change I have done in realm imported from sample is replace root &
>> base url in client:  http://localhost:8080/authz-servlet with
>> http://localhost:7200/myapp
>> and the premium resource URI : /protected/premium/* with /secure/role/*
>>
>> (The URL I am accessing with above config and user jdoe on my client app
>> is : http://localhost:7200/myapp/secure/role)
>>
>> Could this be an issue that in my case my client app is running on a
>> different port (as it is outside the wildfly server that is running
>> keycloak)?
>>
>> On Mon, Aug 27, 2018 at 7:30 PM Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>>> Hi,
>>>
>>> Thanks for continuing looking at this. Let's do this, I'll do the same
>>> steps using Jetty to reproduce the issue, will let you know during this
>>> week once I have something to share.
>>>
>>> Another weird thing is that the example actually should return all
>>> permissions and make them available after the login. Will check how this is
>>> working with Jetty too. The tests we have in the quickstarts are
>>> wildfly based ....
>>>
>>> On Mon, Aug 27, 2018 at 8:22 AM, keycloak demo <testoauth55 at gmail.com>
>>> wrote:
>>>
>>>> I have tried 1 more thing: I have imported realm from one of the
>>>> keycloak quickstarts
>>>> https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-jee-servlet and
>>>> only replaced the URLs with my application URLs.
>>>>
>>>> But I get the same error *if* I remove the resource containing URI as
>>>> */** (resource name is : *Protected Resource*). Furthermore, if i keep
>>>> this resource (/*), I am able to authorize a user but putting a debugger in
>>>> client app showed that authContext Permission list contains only 1 resource
>>>> i.e. Protected Resource. Although the user which authenticated was assigned
>>>> the role contained in resource name: Premium Resource. So ideally the
>>>> Permission list must have contained this resource as well.  (I am
>>>> mentioning the names - Protected, Premium as mentioned in the keycloak
>>>> quick start). I put in /* URI in my original app and 403 stopped. But the
>>>> permission array contained only this resource (with URI /*)
>>>>
>>>> java.util.List<Permission> perms = authzContext.getPermissions();
>>>>
>>>> ********To summarize the above test:*********
>>>> *I get 403 error if a resource containing URI /* is not present. If a
>>>> URI containing /* is present, then I get only this resource in the
>>>> Permissions Array / List in the java client app even if the resource with
>>>> specific URI like /app/secure contains valid role/policy/permission. Also
>>>> the evaluate API available under Authorization option shows result as
>>>> permit.*
>>>>
>>>> *Screenshots present
>>>> here: https://stackoverflow.com/questions/51761779/keycloak-403-forbidden-error-while-accessing-rest-resource-where-as-evaluate-api
>>>> <https://stackoverflow.com/questions/51761779/keycloak-403-forbidden-error-while-accessing-rest-resource-where-as-evaluate-api>*
>>>>
>>>>
>>>> On Mon, Aug 20, 2018 at 12:07 PM keycloak demo <testoauth55 at gmail.com>
>>>> wrote:
>>>>
>>>>> Pedro,
>>>>>
>>>>> Yes default permissions grant access to any resource in my application
>>>>> (uri == /*). But problem starts when I specify a resource with specific URI
>>>>> (as described in configuration in my previous email and also here: *https://stackoverflow.com/questions/51761779/keycloak-403-forbidden-error-while-accessing-rest-resource-where-as-evaluate-api
>>>>> <https://stackoverflow.com/questions/51761779/keycloak-403-forbidden-error-while-accessing-rest-resource-where-as-evaluate-api>*
>>>>> ).
>>>>>
>>>>> Just to summarize the real problem:
>>>>>
>>>>> Apart from default resource having `/*`, I have a second resource
>>>>> having URI:   /secure/role/*  and this resource also has a role based
>>>>> policy to allow access to only users having role "special", the expected
>>>>> behavior is the users who don't have role "special" should not be able to
>>>>> access this resource, right?
>>>>>
>>>>> But I am able to access this resource with any user, any role. So I
>>>>> thought that may be default resource URI with '/*' is overriding behavior
>>>>> of second resource, so I changed default resource URI to '/test/*', and
>>>>> then I started receiving 403 error for accessing both '/test' as well as
>>>>> second resource ' /secure/role/*  ' for all users including user with
>>>>> "special" role assigned.
>>>>>
>>>>> I looked into realm resource configuration in one of the quick starts
>>>>> and the only difference I found was that quick start resources specify
>>>>> scope in each of resources whereas I have kept it blank. Could this be an
>>>>> issue.
>>>>>
>>>>> I understand you already spent time in trying to resolve this but
>>>>> problem still persists.
>>>>>
>>>>> On Fri, Aug 17, 2018 at 5:11 PM, Pedro Igor Silva <psilva at redhat.com>
>>>>> wrote:
>>>>>
>>>>>>
>>>>>>
>>>>>> On Fri, Aug 17, 2018 at 4:40 AM, keycloak demo <testoauth55 at gmail.com
>>>>>> > wrote:
>>>>>>
>>>>>>> Pedro,
>>>>>>>
>>>>>>> After further debugging I found out that following line in keycloak
>>>>>>> json is causing the issue:  "policy-enforcer": {}. If I remove this
>>>>>>> line, then 403 error is removed but I guess doing this disables
>>>>>>> authorization altogether. 2 questions on this:
>>>>>>> 1. When I have configured policies on the Admin console under the
>>>>>>> authorization tab, why is this empty?
>>>>>>>
>>>>>>
>>>>>> I'm not sure. When you enable authorization services to a client
>>>>>> default resource/permissions are created. Where these permissions grant
>>>>>> access to any resource in your application (uri == /*).
>>>>>>
>>>>>>
>>>>>>> 2. Is there a way to put some default values (not manually) in here
>>>>>>> to make authorization work?
>>>>>>>
>>>>>>
>>>>>> Like I said, when you just enable the authorization services switch,
>>>>>> default settings are created automatically.
>>>>>>
>>>>>> Did you try to run any of our quickstarts ?
>>>>>>
>>>>>>
>>>>>>
>>>>>>>
>>>>>>> On Fri, Aug 10, 2018 at 5:17 PM, Pedro Igor Silva <psilva at redhat.com
>>>>>>> > wrote:
>>>>>>>
>>>>>>>> Yeah, it should be relative. I was wondering if the correct URI
>>>>>>>> would be '/keycloak/secure/role' instead.
>>>>>>>>
>>>>>>>> In any case, I would ask you to try the same deployment using
>>>>>>>> tomcat or wildfly to see how it goes. We have a few quickstarts running on
>>>>>>>> these two. Maybe you could also try to enable DEBUG log level to see how
>>>>>>>> the policy enforcer is matching URIs to your resources.
>>>>>>>>
>>>>>>>> If none of them work, I can give a try and run jetty.
>>>>>>>>
>>>>>>>> Regards.
>>>>>>>> Pedro Igor
>>>>>>>>
>>>>>>>> On Fri, Aug 10, 2018 at 12:31 AM, keycloak demo <
>>>>>>>> testoauth55 at gmail.com> wrote:
>>>>>>>>
>>>>>>>>> Pedro, thanks for replying. I tried putting the absolute URI,but
>>>>>>>>> it does not work either. The documentation anyway states that the URI in
>>>>>>>>> resource can be relative to client root URL which I have configured to be
>>>>>>>>> http://localhost:7200/{app}/keycloak , therefore
>>>>>>>>> putting  relateve URI '/secure/role' in resource should be
>>>>>>>>> equivalent to putting absolute URI :
>>>>>>>>> http://localhost:7200/{app}/keycloak/secure/role'. Do you think,
>>>>>>>>> there is something else I can try?
>>>>>>>>>
>>>>>>>>> On Thu, Aug 9, 2018 at 6:01 PM, Pedro Igor Silva <
>>>>>>>>> psilva at redhat.com> wrote:
>>>>>>>>>
>>>>>>>>>> Hi,
>>>>>>>>>>
>>>>>>>>>> Your configuration looks correct. But I noticed that in the
>>>>>>>>>> postman request you are sending requests to `
>>>>>>>>>> http://localhost:7200/{app}/keycloak/secure/role`
>>>>>>>>>> <http://localhost:7200/%7Bapp%7D/keycloak/secure/role>. However
>>>>>>>>>> in your resource definition the URI is configured to `/secure/role`. Both
>>>>>>>>>> URIs should match otherwise the adapter won't be able to map the URI in
>>>>>>>>>> your application to a resource in Keycloak (and related permissions).
>>>>>>>>>>
>>>>>>>>>> Regards.
>>>>>>>>>> Pedro Igor
>>>>>>>>>>
>>>>>>>>>> On Thu, Aug 9, 2018 at 5:56 AM, keycloak demo <
>>>>>>>>>> testoauth55 at gmail.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> With all the configuration(shared below), when I test using the
>>>>>>>>>>> evaluate
>>>>>>>>>>> option under authorization tab, result is permit:
>>>>>>>>>>>
>>>>>>>>>>> *But when I make a request to this resource through postman, I
>>>>>>>>>>> get 403.*
>>>>>>>>>>>
>>>>>>>>>>> *Which part of configuration is wrong which is leading to 403
>>>>>>>>>>> error?*
>>>>>>>>>>>
>>>>>>>>>>> CONFIGURATION:
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> *Detailed configuration with images shown here:*
>>>>>>>>>>>
>>>>>>>>>>> *
>>>>>>>>>>> https://stackoverflow.com/questions/51761779/keycloak-403-forbidden-error-while-accessing-rest-resource-where-as-evaluate-api
>>>>>>>>>>> <
>>>>>>>>>>> https://stackoverflow.com/questions/51761779/keycloak-403-forbidden-error-while-accessing-rest-resource-where-as-evaluate-api
>>>>>>>>>>> >*
>>>>>>>>>>>
>>>>>>>>>>> *1.* Following the  <goog_1387888133>
>>>>>>>>>>> https://www.keycloak.org/docs/4.2/authorization_services/ , I
>>>>>>>>>>> created a
>>>>>>>>>>> realm role : *role_special_user* and created a user :
>>>>>>>>>>> *user_special* with
>>>>>>>>>>> this role and role *user*.
>>>>>>>>>>>
>>>>>>>>>>> *2.* Next, my resource server / client is with *full scope
>>>>>>>>>>> enabled*:
>>>>>>>>>>> *3.* Under authorization tab, I created a resource  with the
>>>>>>>>>>> role based
>>>>>>>>>>> policy is.
>>>>>>>>>>>
>>>>>>>>>>> *4.* Now, keycloak json is:
>>>>>>>>>>>
>>>>>>>>>>> {
>>>>>>>>>>>   "realm": "demo12",
>>>>>>>>>>>   "auth-server-url": "http://localhost:8180/auth",
>>>>>>>>>>>   "ssl-required": "none",
>>>>>>>>>>>   "resource": "server12",
>>>>>>>>>>>   "credentials": {
>>>>>>>>>>>     "secret": "XXXXXXX"
>>>>>>>>>>>   },
>>>>>>>>>>>   "confidential-port": 0,
>>>>>>>>>>>   "policy-enforcer": {}}
>>>>>>>>>>>
>>>>>>>>>>> *5.* And Keycloak Jetty adapter configuration is:
>>>>>>>>>>>
>>>>>>>>>>> final String KEYCLOAK_JSON = Constants.KC_CONFIG_JSON_PATH;
>>>>>>>>>>> InputStream is =
>>>>>>>>>>>
>>>>>>>>>>> Thread.currentThread().getContextClassLoader().getResourceAsStream(KEYCLOAK_JSON);AdapterConfig
>>>>>>>>>>> keyCloakConfig;ObjectMapper mapper = new ObjectMapper(new
>>>>>>>>>>> SystemPropertiesJsonParserFactory());
>>>>>>>>>>>
>>>>>>>>>>> mapper.setSerializationInclusion(JsonInclude.Include.NON_DEFAULT);
>>>>>>>>>>> keyCloakConfig = mapper.readValue(is, AdapterConfig.class);
>>>>>>>>>>> KeycloakJettyAuthenticator kcAuthenticator =
>>>>>>>>>>> KeyCloakConfig;if(kcAuthenticator != null) {
>>>>>>>>>>>     ConstraintSecurityHandler securityHandler = new
>>>>>>>>>>> ConstraintSecurityHandler();
>>>>>>>>>>>     ConstraintMapping constraintMapping = new
>>>>>>>>>>> ConstraintMapping();
>>>>>>>>>>>     constraintMapping.setPathSpec("/*");
>>>>>>>>>>>     Constraint constraint = new Constraint();
>>>>>>>>>>>     constraint.setAuthenticate(true);
>>>>>>>>>>>     constraint.setRoles(new String[]{"**"});
>>>>>>>>>>>     constraintMapping.setConstraint(constraint);
>>>>>>>>>>>     securityHandler.addConstraintMapping(constraintMapping);
>>>>>>>>>>>     securityHandler.setAuthenticator(kcAuthenticator);
>>>>>>>>>>>     context.setSecurityHandler(securityHandler);}
>>>>>>>>>>>
>>>>>>>>>>> *6.* Also, the decoded jwt token sample is:
>>>>>>>>>>>
>>>>>>>>>>> {
>>>>>>>>>>>   "jti": "XXXXXXX",
>>>>>>>>>>>   "exp": 1533798704,
>>>>>>>>>>>   "nbf": 0,
>>>>>>>>>>>   "iat": 1533798404,
>>>>>>>>>>>   "iss": "http://localhost:8180/auth/realms/demo12",
>>>>>>>>>>>   "aud": "server12",
>>>>>>>>>>>   "sub": "XXXXXXX",
>>>>>>>>>>>   "typ": "Bearer",
>>>>>>>>>>>   "azp": "server12",
>>>>>>>>>>>   "auth_time": 1533798404,
>>>>>>>>>>>   "session_state": "XXXXXX",
>>>>>>>>>>>   "acr": "1",
>>>>>>>>>>>   "allowed-origins": [],
>>>>>>>>>>>   "realm_access": {
>>>>>>>>>>>     "roles": [
>>>>>>>>>>>       "role_special_user",
>>>>>>>>>>>       "offline_access",
>>>>>>>>>>>       "uma_authorization",
>>>>>>>>>>>       "user"
>>>>>>>>>>>     ]
>>>>>>>>>>>   },
>>>>>>>>>>>   "resource_access": {
>>>>>>>>>>>     "server12": {
>>>>>>>>>>>       "roles": [
>>>>>>>>>>>         "uma_protection"
>>>>>>>>>>>       ]
>>>>>>>>>>>     },
>>>>>>>>>>>     "account": {
>>>>>>>>>>>       "roles": [
>>>>>>>>>>>         "manage-account",
>>>>>>>>>>>         "manage-account-links",
>>>>>>>>>>>         "view-profile"
>>>>>>>>>>>       ]
>>>>>>>>>>>     }
>>>>>>>>>>>   },
>>>>>>>>>>>   "scope": "openid email profile",
>>>>>>>>>>>   "email_verified": false,
>>>>>>>>>>>   "preferred_username": "user_special"}
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> keycloak-user mailing list
>>>>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>
>

More information about the keycloak-user mailing list