[keycloak-user] Keycloak Istio RBAC returns 403 Forbidden

Kannan K R kannan.k at kiwitech.com
Wed Nov 13 12:38:56 EST 2019 

Any update on this?

On Tue, Nov 12, 2019 at 8:47 PM Kannan K R <kannan.k at kiwitech.com> wrote:

> Hi All
>
> I’m trying to authorize my users using their roles. Here is my JWT from
> Keycloak
>
> {
>   "jti": "f9f5af0c-b187-4510-8302-d2d553c3bdee",
>   "exp": 1573594538,
>   "nbf": 0,
>   "iat": 1573558569,
>   "iss": "https://kc.krk.wtf/auth/realms/K2",
>   "aud": "account",
>   "sub": "920fadc1-5a30-4d94-8604-8bd14cea2685",
>   "typ": "Bearer",
>   "azp": "ufinity",
>   "auth_time": 1573558538,
>   "session_state": "c5679b6d-fc0e-4536-abc2-3533e6ba8c85",
>   "acr": "1",
>   "realm_access": {
> "roles": [
>   "provider",
>   "offline_access",
>   "uma_authorization"
> ]
>   },
>   "resource_access": {
> "ufinity": {
>   "roles": [
>     "provider1"
>   ]
> },
> "account": {
>   "roles": [
>     "manage-account",
>     "manage-account-links",
>     "view-profile"
>   ]
> }
>   },
>   "scope": "openid email profile",
>   "email_verified": false,
>   "name": "Kannan2 Provider",
>   "preferred_username": "kannan2",
>   "given_name": "Kannan2",
>   "family_name": "Provider",
>   "email": "kannan2 at yopmail.com"
> }
>
> My Authorization yaml files are as follows:
>
> apiVersion: "rbac.istio.io/v1alpha1"
> kind: ClusterRbacConfig
> metadata:
>   name: default
> spec:
>   mode: 'ON_WITH_INCLUSION'
>   inclusion:
>     services:
>     - "record.default.svc.cluster.local"
> ---
> apiVersion: "rbac.istio.io/v1alpha1"
> kind: ServiceRole
> metadata:
>   name: regular-user
>   namespace: default
> spec:
>   rules:
>   - services:
>     - "record"
>     paths: ["/users/*"]
>     methods: ["GET"]
> ---
> apiVersion: "rbac.istio.io/v1alpha1"
> kind: ServiceRoleBinding
> metadata:
>   name: regular-user-binding
>   namespace: default
> spec:
>   subjects:
>   - user: "*"
>   roleRef:
>     kind: ServiceRole
>     name: "regular-user"
> ---
> apiVersion: "rbac.istio.io/v1alpha1"
> kind: ServiceRole
> metadata:
>   name: provider-role
>   namespace: default
> spec:
>   rules:
>   - services: ["*"]
>     paths: ["*"]
>     methods: ["*"]
> ---
> apiVersion: "rbac.istio.io/v1alpha1"
> kind: ServiceRoleBinding
> metadata:
>   name: provider-role-binding
>   namespace: default
> spec:
>   subjects:
>   - properties:
>       request.auth.claims[roles]: "provider1"
>   roleRef:
>     kind: ServiceRole
>     name: "provider-role"
>
> I’m always getting 403 forbidden response.
>
> Please let me know what am I doing wrong here. Or please point me to a
> documentation
>
> Thanks in advance
> -Kannan
>

-- 






************************************************************************


This e-mail and all attachments are intended solely for use by
the intended 
recipient and may contain confidential / proprietary information
of 
KiwiTech, LLC, subject to important disclaimers and conditions including

restrictions on the use, disclosure, transfer or export of such 
information. If you have received this
message in error or are not the 
named recipient(s), please immediately notify
the sender at the telephone 
number stated above or by reply e-mail and delete
this e-mail from your 
computer

More information about the keycloak-user mailing list