[keycloak-user] keycloak 403 forbidden error while accessing rest resource where as evaluate api shows permit
Pedro Igor Silva
psilva at redhat.com
Tue Aug 28 14:12:47 EDT 2018
Running the app in a separated server is not a problem.
If you delete the "protecter resource" you will get 403 because there is no
resource granting access to "/", "/index.jsp" or "/protected/*".
Maybe what you are trying to achieve is someway to update URIs in Keycloak
and have those changes recognized by the policy enforcer in front of your
app ? If so, you can disable cache of paths/uris by adding the following
config to your policy-enforcer in keycloak.json:
"path-cache": {
"lifespan": 0,
"max-entries": 0
}
This will make the PEP invoke server all the time for resources and path
mapping.
By default, resource/path mapping is enabled and that avoids hits to the
server in order to fetch resources and their uris.
On Tue, Aug 28, 2018 at 12:27 PM, keycloak demo <testoauth55 at gmail.com>
wrote:
> Thanks Pedro for quick turnaround.
>
> I have taken keycloak 4.3 installation. I imported the new realm and ran
> the app. However, still facing the same issue.* I am able to login with
> special user. But I am also able to login with jdoe (premium user) and
> alice(normal user) when actually only special user should be allowed and
> other 2 denied.* Also, in all 3 cases , I get only 1 item in permission
> list i.e. Protected resource ( resource having with URI : */**):
>
> [Permission {id=ce71e506-d2f5-4c8b-8c2b-00f282bfb7d5, name=Protected
> Resource, scopes=[urn:servlet-authz:protected:resource:access]}]
>
> *ALSO, I had to make a couple of changes for realm to work:*
>
> *1.* Just like I mentioned in my previous email, I changed port number in
> the client URLs to 7200 as my app is running on jetty on a different port
> outside keycloak. *(Could this be the reason that app is running on a
> different port and keycloak/wildfly is running on a different port? )*
>
> *2.* Second change I did was make Valid redirect URI as * in Client
> settings.I was getting 400 on specifying: http://localhost:7200/myapp/* *(could
> this be an issue?) *
>
> NOTE: 403 would start coming if I delete resource named Protected
> Resource.
>
>
> On Tue, Aug 28, 2018 at 7:20 PM Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> Hi,
>>
>> Could you please check changes I did in this branch https://github.com/
>> pedroigor/keycloak-quickstarts/tree/tmp ?
>>
>> Basically, I have modified the realm settings to :
>>
>> * Include a new user granted with a "special" realm role
>> * Included a new "Special Resource" mapping to "/secure/role/*"
>> * Include permission for "Special Resource" granting access only for
>> users with "special" role
>>
>> It seems to be working fine, but maybe I'm still missing something. Would
>> be nice if you could look at my changes, import the realm settings and
>> check how it is working.
>>
>> In addition to that, could you please try running Keycloak 4.3.0.Final ?
>>
>> Regards.
>> Pedro Igor
>>
>>
>> On Tue, Aug 28, 2018 at 2:37 AM, keycloak demo <testoauth55 at gmail.com>
>> wrote:
>>
>>> Thanks Pedro for the update.
>>>
>>> Just to add details to my previous mail: From the sample app /
>>> quickstart app-authz-jee-servlet
>>> <https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-jee-servlet>:
>>> I use *jdoe *user to login which has premium permissions, but when I
>>> debug, I get only Protected resource in the permission list:
>>>
>>> *Permission {id=1ace954c-3de5-4f33-83f7-2822ce2b35fe, name=Protected
>>> Resource, scopes=[urn:servlet-authz:protected:resource:access]} *
>>>
>>> Only change I have done in realm imported from sample is replace root &
>>> base url in client: http://localhost:8080/authz-servlet with
>>> http://localhost:7200/myapp
>>> and the premium resource URI : /protected/premium/* with /secure/role/*
>>>
>>> (The URL I am accessing with above config and user jdoe on my client app
>>> is : http://localhost:7200/myapp/secure/role)
>>>
>>> Could this be an issue that in my case my client app is running on a
>>> different port (as it is outside the wildfly server that is running
>>> keycloak)?
>>>
>>> On Mon, Aug 27, 2018 at 7:30 PM Pedro Igor Silva <psilva at redhat.com>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> Thanks for continuing looking at this. Let's do this, I'll do the same
>>>> steps using Jetty to reproduce the issue, will let you know during this
>>>> week once I have something to share.
>>>>
>>>> Another weird thing is that the example actually should return all
>>>> permissions and make them available after the login. Will check how this is
>>>> working with Jetty too. The tests we have in the quickstarts are
>>>> wildfly based ....
>>>>
>>>> On Mon, Aug 27, 2018 at 8:22 AM, keycloak demo <testoauth55 at gmail.com>
>>>> wrote:
>>>>
>>>>> I have tried 1 more thing: I have imported realm from one of the
>>>>> keycloak quickstarts https://github.com/keycloak/keycloak-
>>>>> quickstarts/tree/latest/app-authz-jee-servlet and only replaced the
>>>>> URLs with my application URLs.
>>>>>
>>>>> But I get the same error *if* I remove the resource containing URI as
>>>>> */** (resource name is : *Protected Resource*). Furthermore, if i
>>>>> keep this resource (/*), I am able to authorize a user but putting a
>>>>> debugger in client app showed that authContext Permission list contains
>>>>> only 1 resource i.e. Protected Resource. Although the user which
>>>>> authenticated was assigned the role contained in resource name: Premium
>>>>> Resource. So ideally the Permission list must have contained this resource
>>>>> as well. (I am mentioning the names - Protected, Premium as mentioned in
>>>>> the keycloak quick start). I put in /* URI in my original app and 403
>>>>> stopped. But the permission array contained only this resource (with URI /*)
>>>>>
>>>>> java.util.List<Permission> perms = authzContext.getPermissions();
>>>>>
>>>>> ********To summarize the above test:*********
>>>>> *I get 403 error if a resource containing URI /* is not present. If a
>>>>> URI containing /* is present, then I get only this resource in the
>>>>> Permissions Array / List in the java client app even if the resource with
>>>>> specific URI like /app/secure contains valid role/policy/permission. Also
>>>>> the evaluate API available under Authorization option shows result as
>>>>> permit.*
>>>>>
>>>>> *Screenshots present
>>>>> here: https://stackoverflow.com/questions/51761779/keycloak-403-forbidden-error-while-accessing-rest-resource-where-as-evaluate-api
>>>>> <https://stackoverflow.com/questions/51761779/keycloak-403-forbidden-error-while-accessing-rest-resource-where-as-evaluate-api>*
>>>>>
>>>>>
>>>>> On Mon, Aug 20, 2018 at 12:07 PM keycloak demo <testoauth55 at gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Pedro,
>>>>>>
>>>>>> Yes default permissions grant access to any resource in my
>>>>>> application (uri == /*). But problem starts when I specify a resource with
>>>>>> specific URI (as described in configuration in my previous email and also
>>>>>> here: *https://stackoverflow.com/questions/51761779/keycloak-403-forbidden-error-while-accessing-rest-resource-where-as-evaluate-api
>>>>>> <https://stackoverflow.com/questions/51761779/keycloak-403-forbidden-error-while-accessing-rest-resource-where-as-evaluate-api>*
>>>>>> ).
>>>>>>
>>>>>> Just to summarize the real problem:
>>>>>>
>>>>>> Apart from default resource having `/*`, I have a second resource
>>>>>> having URI: /secure/role/* and this resource also has a role
>>>>>> based policy to allow access to only users having role "special", the
>>>>>> expected behavior is the users who don't have role "special" should not be
>>>>>> able to access this resource, right?
>>>>>>
>>>>>> But I am able to access this resource with any user, any role. So I
>>>>>> thought that may be default resource URI with '/*' is overriding behavior
>>>>>> of second resource, so I changed default resource URI to '/test/*', and
>>>>>> then I started receiving 403 error for accessing both '/test' as well as
>>>>>> second resource ' /secure/role/* ' for all users including user
>>>>>> with "special" role assigned.
>>>>>>
>>>>>> I looked into realm resource configuration in one of the quick starts
>>>>>> and the only difference I found was that quick start resources specify
>>>>>> scope in each of resources whereas I have kept it blank. Could this be an
>>>>>> issue.
>>>>>>
>>>>>> I understand you already spent time in trying to resolve this but
>>>>>> problem still persists.
>>>>>>
>>>>>> On Fri, Aug 17, 2018 at 5:11 PM, Pedro Igor Silva <psilva at redhat.com>
>>>>>> wrote:
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Fri, Aug 17, 2018 at 4:40 AM, keycloak demo <
>>>>>>> testoauth55 at gmail.com> wrote:
>>>>>>>
>>>>>>>> Pedro,
>>>>>>>>
>>>>>>>> After further debugging I found out that following line in keycloak
>>>>>>>> json is causing the issue: "policy-enforcer": {}. If I remove
>>>>>>>> this line, then 403 error is removed but I guess doing this disables
>>>>>>>> authorization altogether. 2 questions on this:
>>>>>>>> 1. When I have configured policies on the Admin console under the
>>>>>>>> authorization tab, why is this empty?
>>>>>>>>
>>>>>>>
>>>>>>> I'm not sure. When you enable authorization services to a client
>>>>>>> default resource/permissions are created. Where these permissions grant
>>>>>>> access to any resource in your application (uri == /*).
>>>>>>>
>>>>>>>
>>>>>>>> 2. Is there a way to put some default values (not manually) in here
>>>>>>>> to make authorization work?
>>>>>>>>
>>>>>>>
>>>>>>> Like I said, when you just enable the authorization services switch,
>>>>>>> default settings are created automatically.
>>>>>>>
>>>>>>> Did you try to run any of our quickstarts ?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>> On Fri, Aug 10, 2018 at 5:17 PM, Pedro Igor Silva <
>>>>>>>> psilva at redhat.com> wrote:
>>>>>>>>
>>>>>>>>> Yeah, it should be relative. I was wondering if the correct URI
>>>>>>>>> would be '/keycloak/secure/role' instead.
>>>>>>>>>
>>>>>>>>> In any case, I would ask you to try the same deployment using
>>>>>>>>> tomcat or wildfly to see how it goes. We have a few quickstarts running on
>>>>>>>>> these two. Maybe you could also try to enable DEBUG log level to see how
>>>>>>>>> the policy enforcer is matching URIs to your resources.
>>>>>>>>>
>>>>>>>>> If none of them work, I can give a try and run jetty.
>>>>>>>>>
>>>>>>>>> Regards.
>>>>>>>>> Pedro Igor
>>>>>>>>>
>>>>>>>>> On Fri, Aug 10, 2018 at 12:31 AM, keycloak demo <
>>>>>>>>> testoauth55 at gmail.com> wrote:
>>>>>>>>>
>>>>>>>>>> Pedro, thanks for replying. I tried putting the absolute URI,but
>>>>>>>>>> it does not work either. The documentation anyway states that the URI in
>>>>>>>>>> resource can be relative to client root URL which I have configured to be
>>>>>>>>>> http://localhost:7200/{app}/keycloak , therefore
>>>>>>>>>> putting relateve URI '/secure/role' in resource should be
>>>>>>>>>> equivalent to putting absolute URI :
>>>>>>>>>> http://localhost:7200/{app}/keycloak/secure/role'. Do you think,
>>>>>>>>>> there is something else I can try?
>>>>>>>>>>
>>>>>>>>>> On Thu, Aug 9, 2018 at 6:01 PM, Pedro Igor Silva <
>>>>>>>>>> psilva at redhat.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> Hi,
>>>>>>>>>>>
>>>>>>>>>>> Your configuration looks correct. But I noticed that in the
>>>>>>>>>>> postman request you are sending requests to `
>>>>>>>>>>> http://localhost:7200/{app}/keycloak/secure/role`
>>>>>>>>>>> <http://localhost:7200/%7Bapp%7D/keycloak/secure/role>. However
>>>>>>>>>>> in your resource definition the URI is configured to `/secure/role`. Both
>>>>>>>>>>> URIs should match otherwise the adapter won't be able to map the URI in
>>>>>>>>>>> your application to a resource in Keycloak (and related permissions).
>>>>>>>>>>>
>>>>>>>>>>> Regards.
>>>>>>>>>>> Pedro Igor
>>>>>>>>>>>
>>>>>>>>>>> On Thu, Aug 9, 2018 at 5:56 AM, keycloak demo <
>>>>>>>>>>> testoauth55 at gmail.com> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> With all the configuration(shared below), when I test using the
>>>>>>>>>>>> evaluate
>>>>>>>>>>>> option under authorization tab, result is permit:
>>>>>>>>>>>>
>>>>>>>>>>>> *But when I make a request to this resource through postman, I
>>>>>>>>>>>> get 403.*
>>>>>>>>>>>>
>>>>>>>>>>>> *Which part of configuration is wrong which is leading to 403
>>>>>>>>>>>> error?*
>>>>>>>>>>>>
>>>>>>>>>>>> CONFIGURATION:
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> *Detailed configuration with images shown here:*
>>>>>>>>>>>>
>>>>>>>>>>>> *https://stackoverflow.com/questions/51761779/keycloak-
>>>>>>>>>>>> 403-forbidden-error-while-accessing-rest-resource-where-
>>>>>>>>>>>> as-evaluate-api
>>>>>>>>>>>> <https://stackoverflow.com/questions/51761779/keycloak-
>>>>>>>>>>>> 403-forbidden-error-while-accessing-rest-resource-where-
>>>>>>>>>>>> as-evaluate-api>*
>>>>>>>>>>>>
>>>>>>>>>>>> *1.* Following the <goog_1387888133>
>>>>>>>>>>>> https://www.keycloak.org/docs/4.2/authorization_services/ , I
>>>>>>>>>>>> created a
>>>>>>>>>>>> realm role : *role_special_user* and created a user :
>>>>>>>>>>>> *user_special* with
>>>>>>>>>>>> this role and role *user*.
>>>>>>>>>>>>
>>>>>>>>>>>> *2.* Next, my resource server / client is with *full scope
>>>>>>>>>>>> enabled*:
>>>>>>>>>>>> *3.* Under authorization tab, I created a resource with the
>>>>>>>>>>>> role based
>>>>>>>>>>>> policy is.
>>>>>>>>>>>>
>>>>>>>>>>>> *4.* Now, keycloak json is:
>>>>>>>>>>>>
>>>>>>>>>>>> {
>>>>>>>>>>>> "realm": "demo12",
>>>>>>>>>>>> "auth-server-url": "http://localhost:8180/auth",
>>>>>>>>>>>> "ssl-required": "none",
>>>>>>>>>>>> "resource": "server12",
>>>>>>>>>>>> "credentials": {
>>>>>>>>>>>> "secret": "XXXXXXX"
>>>>>>>>>>>> },
>>>>>>>>>>>> "confidential-port": 0,
>>>>>>>>>>>> "policy-enforcer": {}}
>>>>>>>>>>>>
>>>>>>>>>>>> *5.* And Keycloak Jetty adapter configuration is:
>>>>>>>>>>>>
>>>>>>>>>>>> final String KEYCLOAK_JSON = Constants.KC_CONFIG_JSON_PATH;
>>>>>>>>>>>> InputStream is =
>>>>>>>>>>>> Thread.currentThread().getContextClassLoader().
>>>>>>>>>>>> getResourceAsStream(KEYCLOAK_JSON);AdapterConfig
>>>>>>>>>>>> keyCloakConfig;ObjectMapper mapper = new ObjectMapper(new
>>>>>>>>>>>> SystemPropertiesJsonParserFactory());
>>>>>>>>>>>> mapper.setSerializationInclusion(JsonInclude.Include.NON_
>>>>>>>>>>>> DEFAULT);
>>>>>>>>>>>> keyCloakConfig = mapper.readValue(is, AdapterConfig.class);
>>>>>>>>>>>> KeycloakJettyAuthenticator kcAuthenticator =
>>>>>>>>>>>> KeyCloakConfig;if(kcAuthenticator != null) {
>>>>>>>>>>>> ConstraintSecurityHandler securityHandler = new
>>>>>>>>>>>> ConstraintSecurityHandler();
>>>>>>>>>>>> ConstraintMapping constraintMapping = new
>>>>>>>>>>>> ConstraintMapping();
>>>>>>>>>>>> constraintMapping.setPathSpec("/*");
>>>>>>>>>>>> Constraint constraint = new Constraint();
>>>>>>>>>>>> constraint.setAuthenticate(true);
>>>>>>>>>>>> constraint.setRoles(new String[]{"**"});
>>>>>>>>>>>> constraintMapping.setConstraint(constraint);
>>>>>>>>>>>> securityHandler.addConstraintMapping(constraintMapping);
>>>>>>>>>>>> securityHandler.setAuthenticator(kcAuthenticator);
>>>>>>>>>>>> context.setSecurityHandler(securityHandler);}
>>>>>>>>>>>>
>>>>>>>>>>>> *6.* Also, the decoded jwt token sample is:
>>>>>>>>>>>>
>>>>>>>>>>>> {
>>>>>>>>>>>> "jti": "XXXXXXX",
>>>>>>>>>>>> "exp": 1533798704,
>>>>>>>>>>>> "nbf": 0,
>>>>>>>>>>>> "iat": 1533798404,
>>>>>>>>>>>> "iss": "http://localhost:8180/auth/realms/demo12",
>>>>>>>>>>>> "aud": "server12",
>>>>>>>>>>>> "sub": "XXXXXXX",
>>>>>>>>>>>> "typ": "Bearer",
>>>>>>>>>>>> "azp": "server12",
>>>>>>>>>>>> "auth_time": 1533798404,
>>>>>>>>>>>> "session_state": "XXXXXX",
>>>>>>>>>>>> "acr": "1",
>>>>>>>>>>>> "allowed-origins": [],
>>>>>>>>>>>> "realm_access": {
>>>>>>>>>>>> "roles": [
>>>>>>>>>>>> "role_special_user",
>>>>>>>>>>>> "offline_access",
>>>>>>>>>>>> "uma_authorization",
>>>>>>>>>>>> "user"
>>>>>>>>>>>> ]
>>>>>>>>>>>> },
>>>>>>>>>>>> "resource_access": {
>>>>>>>>>>>> "server12": {
>>>>>>>>>>>> "roles": [
>>>>>>>>>>>> "uma_protection"
>>>>>>>>>>>> ]
>>>>>>>>>>>> },
>>>>>>>>>>>> "account": {
>>>>>>>>>>>> "roles": [
>>>>>>>>>>>> "manage-account",
>>>>>>>>>>>> "manage-account-links",
>>>>>>>>>>>> "view-profile"
>>>>>>>>>>>> ]
>>>>>>>>>>>> }
>>>>>>>>>>>> },
>>>>>>>>>>>> "scope": "openid email profile",
>>>>>>>>>>>> "email_verified": false,
>>>>>>>>>>>> "preferred_username": "user_special"}
>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>> keycloak-user mailing list
>>>>>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>
>>
More information about the keycloak-user
mailing list