
<div dir="ltr">Oh, that was it. The client needs to have the roles from the application, I didn&#39;t think of that.<div><br></div><div>Thank you again</div><div><br></div><div>copying back the mailing-list because I didn&#39;t reply to it by mistake</div>

</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Aug 6, 2014 at 11:18 AM, Bill Burke <span dir="ltr">&lt;<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>&gt;</span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">The security-admin-console has a limited scope, so the access token doesn&#39;t get populated with the roles you desire.  A quick workaround is to go to the Scope page on the security-admin-console and click &quot;Full scope allowed&quot;.<br>


<br>

IMO, instead, you should create an oauth client and assign the scope you want for that client_id.  This allows you to:<br>

<br>

* Reduce the size of the access token created for that client_id<br>

* Limit the roles that tokens created for that client_id can obtain.<br>

<br>

Scope is really an extra security measure.  For example, with scope, you can enforce that only the security-console-application can ever get get tokens that have admin roles within it.<br>

<br>

On 8/6/2014 10:10 AM, Rodrigo Sasaki wrote:<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

I get the token sending a POST using *security-admin-console* as<br>

*client_id*.<div class=""><br>

<br>

The application I&#39;m trying to access is bearer only, so I can&#39;t generate<br>

a token directly for it<br>

<br>

<br>

On Wed, Aug 6, 2014 at 11:06 AM, Bill Burke &lt;<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a><br></div><div class="">

&lt;mailto:<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>&gt;&gt; wrote:<br>

<br>

    How do you obtain the token?  Access tokens are created specifically for<br>

    the application/oauth client that intiated the token protocol.  So the<br>

    access token will be stuffed with only the role mappings for that<br>

    application/oauth client.  A bearer-only application doesn&#39;t need a<br>

    scope configured because it never initiates a login.<br>

<br>

    I changed things in beta 4 to hopefully mitigate the confusion around<br>

    &quot;scope&quot;.  Applications have a full scope enabled by default now.<br>

<br>

    On 8/6/2014 9:58 AM, Rodrigo Sasaki wrote:<br>

     &gt; Is there any news on this? I tried it on beta-4 on wildfly and I<br>

    still<br>

     &gt; get the same response.<br>

     &gt;<br>

     &gt;<br>

     &gt; On Tue, Jul 29, 2014 at 5:56 PM, Rodrigo Sasaki<br>

     &gt; &lt;<a href="mailto:rodrigopsasaki@gmail.com" target="_blank">rodrigopsasaki@gmail.com</a> &lt;mailto:<a href="mailto:rodrigopsasaki@gmail.com" target="_blank">rodrigopsasaki@gmail.<u></u>com</a>&gt;<br></div>

    &lt;mailto:<a href="mailto:rodrigopsasaki@gmail.com" target="_blank">rodrigopsasaki@gmail.<u></u>com</a> &lt;mailto:<a href="mailto:rodrigopsasaki@gmail.com" target="_blank">rodrigopsasaki@gmail.<u></u>com</a>&gt;&gt;&gt;<div class="">

<br>

    wrote:<br>

     &gt;<br>

     &gt;     I made sure of all that, I just recreated everything using realm<br>

     &gt;     roles just for the sake of completeness, but I&#39;m still<br>

    getting a 403<br>

     &gt;<br>

     &gt;<br>

     &gt;     On Tue, Jul 29, 2014 at 4:09 PM, Vivek Srivastav (vivsriva)<br>

     &gt;     &lt;<a href="mailto:vivsriva@cisco.com" target="_blank">vivsriva@cisco.com</a> &lt;mailto:<a href="mailto:vivsriva@cisco.com" target="_blank">vivsriva@cisco.com</a>&gt;<br></div><div><div class="h5">

    &lt;mailto:<a href="mailto:vivsriva@cisco.com" target="_blank">vivsriva@cisco.com</a> &lt;mailto:<a href="mailto:vivsriva@cisco.com" target="_blank">vivsriva@cisco.com</a>&gt;&gt;&gt; wrote:<br>

     &gt;<br>

     &gt;         Make sure you have the following settings configured for your<br>

     &gt;         database service:<br>

     &gt;<br>

     &gt;<br>

     &gt;<br>

     &gt;<br>

     &gt;<br>

     &gt;         In the web.xml, make sure you have the security setup<br>

    with the<br>

     &gt;         appropriate user role:<br>

     &gt;         &lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?&gt;<br>

     &gt;         &lt;web-app xmlns=&quot;<a href="http://java.sun.com/xml/ns/javaee" target="_blank">http://java.sun.com/<u></u>xml/ns/javaee</a>&quot;<br>

     &gt;                xmlns:xsi=&quot;<a href="http://www.w3.org/2001/XMLSchema-instance" target="_blank">http://www.w3.org/<u></u>2001/XMLSchema-instance</a>&quot;<br>

     &gt;                xsi:schemaLocation=&quot;<a href="http://java.sun.com/xml/ns/javaee" target="_blank">http://<u></u>java.sun.com/xml/ns/javaee</a><br>

     &gt; <a href="http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" target="_blank">http://java.sun.com/xml/ns/<u></u>javaee/web-app_3_0.xsd</a>&quot;<br>

     &gt;                version=&quot;3.0&quot;&gt;<br>

     &gt;<br>

     &gt;         &lt;module-name&gt;database&lt;/module-<u></u>name&gt;<br>

     &gt;              &lt;security-constraint&gt;<br>

     &gt;                  &lt;web-resource-collection&gt;<br>

     &gt;                      &lt;url-pattern&gt;/*&lt;/url-pattern&gt;<br>

     &gt;                  &lt;/web-resource-collection&gt;<br>

     &gt;         &lt;!--        &lt;user-data-constraint&gt;<br>

     &gt;<br>

      &lt;transport-guarantee&gt;<u></u>CONFIDENTIAL&lt;/transport-<u></u>guarantee&gt;<br>

     &gt;                  &lt;/user-data-constraint&gt;  --&gt;<br>

     &gt;                  &lt;auth-constraint&gt;<br>

     &gt;                      &lt;role-name&gt;user&lt;/role-name&gt;<br>

     &gt;                  &lt;/auth-constraint&gt;<br>

     &gt;              &lt;/security-constraint&gt;<br>

     &gt;<br>

     &gt;              &lt;login-config&gt;<br>

     &gt;                  &lt;auth-method&gt;KEYCLOAK&lt;/auth-<u></u>method&gt;<br>

     &gt;                  &lt;realm-name&gt;demo&lt;/realm-name&gt;<br>

     &gt;              &lt;/login-config&gt;<br>

     &gt;<br>

     &gt;              &lt;security-role&gt;<br>

     &gt;                  &lt;role-name&gt;user&lt;/role-name&gt;<br>

     &gt;              &lt;/security-role&gt;<br>

     &gt;         &lt;/web-app&gt;<br>

     &gt;<br>

     &gt;<br>

     &gt;<br>

     &gt;         From: Rodrigo Sasaki &lt;<a href="mailto:rodrigopsasaki@gmail.com" target="_blank">rodrigopsasaki@gmail.com</a><br>

    &lt;mailto:<a href="mailto:rodrigopsasaki@gmail.com" target="_blank">rodrigopsasaki@gmail.<u></u>com</a>&gt;<br></div></div>

     &gt;         &lt;mailto:<a href="mailto:rodrigopsasaki@gmail.com" target="_blank">rodrigopsasaki@gmail.<u></u>com</a><div class=""><br>

    &lt;mailto:<a href="mailto:rodrigopsasaki@gmail.com" target="_blank">rodrigopsasaki@gmail.<u></u>com</a>&gt;&gt;&gt;<br>

     &gt;         Date: Tuesday, July 29, 2014 at 12:51 PM<br>

     &gt;         To: Bill Burke &lt;<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a><br></div>

    &lt;mailto:<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>&gt; &lt;mailto:<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a><div class=""><br>

    &lt;mailto:<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>&gt;&gt;&gt;<br>

     &gt;         Cc: &quot;<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>

    &lt;mailto:<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.<u></u>jboss.org</a>&gt;<br></div>

     &gt;         &lt;mailto:<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.<u></u>jboss.org</a><div class=""><br>

    &lt;mailto:<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.<u></u>jboss.org</a>&gt;&gt;&quot;<br>

     &gt;         &lt;<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>

    &lt;mailto:<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.<u></u>jboss.org</a>&gt;<br></div>

     &gt;         &lt;mailto:<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.<u></u>jboss.org</a><div class=""><br>

    &lt;mailto:<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.<u></u>jboss.org</a>&gt;&gt;&gt;<br>

     &gt;         Subject: Re: [keycloak-user] Bearer Only Application<br>

    access with<br>

     &gt;         token<br>

     &gt;<br>

     &gt;         It is defined under the application itself, so I it&#39;s<br>

    under the<br>

     &gt;         scope. This should be working right?<br>

     &gt;<br>

     &gt;<br>

     &gt;         On Tue, Jul 29, 2014 at 11:59 AM, Bill Burke<br>

    &lt;<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a> &lt;mailto:<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>&gt;<br></div><div><div class="h5">

     &gt;         &lt;mailto:<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a> &lt;mailto:<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>&gt;&gt;&gt; wrote:<br>

     &gt;<br>

     &gt;             What kind of role is it?  Is the new role defined<br>

    under the<br>

     &gt;             &quot;database-service&quot; application?  If not, then you<br>

    must add<br>

     &gt;             this role to<br>

     &gt;             the &quot;database-service&quot;&#39;s scope in the admin console.<br>

     &gt;<br>

     &gt;             On 7/29/2014 10:51 AM, Rodrigo Sasaki wrote:<br>

     &gt;             &gt; Hi,<br>

     &gt;             &gt;<br>

     &gt;             &gt; I&#39;m trying to secure a bearer-only application with<br>

    keycloak, to access<br>

     &gt;             &gt; it with access tokens, but I think I&#39;m missing<br>

    something.<br>

     &gt;             &gt;<br>

     &gt;             &gt; I tried it with the database-service of the<br>

    unconfigured demo.<br>

     &gt;             &gt;<br>

     &gt;             &gt; 1. I created the user role in the application.<br>

     &gt;             &gt; 2. I assigned that role to my user<br>

     &gt;             &gt; 3. I copied the contents of the installation json to<br>

     &gt;             &gt; *webapp/META-INF/keycloak.<u></u>json*<br>

     &gt;             &gt;<br>

     &gt;             &gt; {<br>

     &gt;             &gt;      &quot;realm&quot;: &quot;demo&quot;,<br>

     &gt;             &gt;      &quot;realm-public-key&quot;:<br>

     &gt;             &gt;<br>

    &quot;<u></u>MIGfMA0GCSqGSIb3DQEBAQUAA4GNAD<u></u>CBiQKBgQCwRayjzh7W+<u></u>EfPaeSdyXWLyXof7c3fwD7vb0AEtG+<u></u>ogLHtMkYiTdX9y/<u></u>JXOmXwWDzGhx7NM3Q6vkCG0F3lZqOV<u></u>sSlYH56c5+Ev4QmSGK/+6e+<u></u>WcZMcgmscoz1OoXKom4+<u></u>pzqMey42hqdwwMhkvCq/<u></u>jxJSmUGnZJQuqEKVH00NZ1wIDAQAB&quot;<u></u>,<br>


     &gt;             &gt;      &quot;bearer-only&quot;: true,<br>

     &gt;             &gt;      &quot;ssl-not-required&quot;: true,<br>

     &gt;             &gt;      &quot;resource&quot;: &quot;database-service&quot;,<br>

     &gt;             &gt;      &quot;use-resource-role-mappings&quot;: true<br>

     &gt;             &gt; }<br>

     &gt;             &gt;<br>

     &gt;             &gt; 4. Set the auth-method to *KEYCLOAK* on web.xml<br>

     &gt;             &gt; 5. Started the server deploying the *database-service*<br>

     &gt;             &gt; 6. Generated a token using *security-admin-console*<br>

    client_id and my user<br>

     &gt;             &gt; 7. Submitted a GET request to<br>

    /localhost:8080/database/<u></u>customers/<br>

     &gt;             &gt;<br>

     &gt;             &gt; After these steps I get a 403 error, saying that<br>

    I&#39;m not authorized to<br>

     &gt;             &gt; access the resource, wasn&#39;t this supposed to work?<br>

     &gt;             &gt;<br>

     &gt;             &gt; --<br>

     &gt;             &gt; Rodrigo Sasaki<br>

     &gt;             &gt;<br>

     &gt;             &gt;<br>

     &gt;             &gt; ______________________________<u></u>_________________<br>

     &gt;             &gt; keycloak-user mailing list<br>

     &gt;             &gt;<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>

    &lt;mailto:<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.<u></u>jboss.org</a>&gt;<br></div></div>

     &gt;             &lt;mailto:<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.<u></u>jboss.org</a><div class=""><br>

    &lt;mailto:<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.<u></u>jboss.org</a>&gt;&gt;<br>

     &gt;             &gt;<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/<u></u>mailman/listinfo/keycloak-user</a><br>

     &gt;             &gt;<br>

     &gt;<br>

     &gt;             --<br>

     &gt;             Bill Burke<br>

     &gt;             JBoss, a division of Red Hat<br>

     &gt; <a href="http://bill.burkecentral.com" target="_blank">http://bill.burkecentral.com</a><br>

     &gt;             ______________________________<u></u>_________________<br>

     &gt;             keycloak-user mailing list<br>

     &gt; <a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a> &lt;mailto:<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.<u></u>jboss.org</a>&gt;<br>

</div>

     &gt;             &lt;mailto:<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.<u></u>jboss.org</a><div class=""><br>

    &lt;mailto:<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.<u></u>jboss.org</a>&gt;&gt;<br>

     &gt; <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/<u></u>mailman/listinfo/keycloak-user</a><br>

     &gt;<br>

     &gt;<br>

     &gt;<br>

     &gt;<br>

     &gt;         --<br>

     &gt;         Rodrigo Sasaki<br>

     &gt;<br>

     &gt;<br>

     &gt;<br>

     &gt;<br>

     &gt;     --<br>

     &gt;     Rodrigo Sasaki<br>

     &gt;<br>

     &gt;<br>

     &gt;<br>

     &gt;<br>

     &gt; --<br>

     &gt; Rodrigo Sasaki<br>

     &gt;<br>

     &gt;<br>

     &gt; ______________________________<u></u>_________________<br>

     &gt; keycloak-user mailing list<br></div>

     &gt; <a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a> &lt;mailto:<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.<u></u>jboss.org</a>&gt;<div class="">

<br>

     &gt; <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/<u></u>mailman/listinfo/keycloak-user</a><br>

     &gt;<br>

<br>

    --<br>

    Bill Burke<br>

    JBoss, a division of Red Hat<br>

    <a href="http://bill.burkecentral.com" target="_blank">http://bill.burkecentral.com</a><br>

    ______________________________<u></u>_________________<br>

    keycloak-user mailing list<br>

    <a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a> &lt;mailto:<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.<u></u>jboss.org</a>&gt;<br>


    <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/<u></u>mailman/listinfo/keycloak-user</a><br>

<br>

<br>

<br>

<br>

--<br>

Rodrigo Sasaki<br>

</div></blockquote><div class="HOEnZb"><div class="h5">

<br>

-- <br>

Bill Burke<br>

JBoss, a division of Red Hat<br>

<a href="http://bill.burkecentral.com" target="_blank">http://bill.burkecentral.com</a><br>

</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div dir="ltr"><font face="Times New Roman">Rodrigo Sasaki</font><div></div></div>

</div>