[keycloak-user] Keycloak Istio RBAC returns 403 Forbidden
Kannan K R
kannan.k at kiwitech.com
Wed Nov 13 12:38:56 EST 2019
Any update on this?
On Tue, Nov 12, 2019 at 8:47 PM Kannan K R <kannan.k at kiwitech.com> wrote:
> Hi All
>
> I’m trying to authorize my users using their roles. Here is my JWT from
> Keycloak
>
> {
> "jti": "f9f5af0c-b187-4510-8302-d2d553c3bdee",
> "exp": 1573594538,
> "nbf": 0,
> "iat": 1573558569,
> "iss": "https://kc.krk.wtf/auth/realms/K2",
> "aud": "account",
> "sub": "920fadc1-5a30-4d94-8604-8bd14cea2685",
> "typ": "Bearer",
> "azp": "ufinity",
> "auth_time": 1573558538,
> "session_state": "c5679b6d-fc0e-4536-abc2-3533e6ba8c85",
> "acr": "1",
> "realm_access": {
> "roles": [
> "provider",
> "offline_access",
> "uma_authorization"
> ]
> },
> "resource_access": {
> "ufinity": {
> "roles": [
> "provider1"
> ]
> },
> "account": {
> "roles": [
> "manage-account",
> "manage-account-links",
> "view-profile"
> ]
> }
> },
> "scope": "openid email profile",
> "email_verified": false,
> "name": "Kannan2 Provider",
> "preferred_username": "kannan2",
> "given_name": "Kannan2",
> "family_name": "Provider",
> "email": "kannan2 at yopmail.com"
> }
>
> My Authorization yaml files are as follows:
>
> apiVersion: "rbac.istio.io/v1alpha1"
> kind: ClusterRbacConfig
> metadata:
> name: default
> spec:
> mode: 'ON_WITH_INCLUSION'
> inclusion:
> services:
> - "record.default.svc.cluster.local"
> ---
> apiVersion: "rbac.istio.io/v1alpha1"
> kind: ServiceRole
> metadata:
> name: regular-user
> namespace: default
> spec:
> rules:
> - services:
> - "record"
> paths: ["/users/*"]
> methods: ["GET"]
> ---
> apiVersion: "rbac.istio.io/v1alpha1"
> kind: ServiceRoleBinding
> metadata:
> name: regular-user-binding
> namespace: default
> spec:
> subjects:
> - user: "*"
> roleRef:
> kind: ServiceRole
> name: "regular-user"
> ---
> apiVersion: "rbac.istio.io/v1alpha1"
> kind: ServiceRole
> metadata:
> name: provider-role
> namespace: default
> spec:
> rules:
> - services: ["*"]
> paths: ["*"]
> methods: ["*"]
> ---
> apiVersion: "rbac.istio.io/v1alpha1"
> kind: ServiceRoleBinding
> metadata:
> name: provider-role-binding
> namespace: default
> spec:
> subjects:
> - properties:
> request.auth.claims[roles]: "provider1"
> roleRef:
> kind: ServiceRole
> name: "provider-role"
>
> I’m always getting 403 forbidden response.
>
> Please let me know what am I doing wrong here. Or please point me to a
> documentation
>
> Thanks in advance
> -Kannan
>
--
************************************************************************
This e-mail and all attachments are intended solely for use by
the intended
recipient and may contain confidential / proprietary information
of
KiwiTech, LLC, subject to important disclaimers and conditions including
restrictions on the use, disclosure, transfer or export of such
information. If you have received this
message in error or are not the
named recipient(s), please immediately notify
the sender at the telephone
number stated above or by reply e-mail and delete
this e-mail from your
computer
More information about the keycloak-user
mailing list