<div dir="ltr">Oh, that was it. The client needs to have the roles from the application, I didn't think of that.<div><br></div><div>Thank you again</div><div><br></div><div>copying back the mailing-list because I didn't reply to it by mistake</div>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Aug 6, 2014 at 11:18 AM, Bill Burke <span dir="ltr"><<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">The security-admin-console has a limited scope, so the access token doesn't get populated with the roles you desire. A quick workaround is to go to the Scope page on the security-admin-console and click "Full scope allowed".<br>
<br>
IMO, instead, you should create an oauth client and assign the scope you want for that client_id. This allows you to:<br>
<br>
* Reduce the size of the access token created for that client_id<br>
* Limit the roles that tokens created for that client_id can obtain.<br>
<br>
Scope is really an extra security measure. For example, with scope, you can enforce that only the security-console-application can ever get get tokens that have admin roles within it.<br>
<br>
On 8/6/2014 10:10 AM, Rodrigo Sasaki wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I get the token sending a POST using *security-admin-console* as<br>
*client_id*.<div class=""><br>
<br>
The application I'm trying to access is bearer only, so I can't generate<br>
a token directly for it<br>
<br>
<br>
On Wed, Aug 6, 2014 at 11:06 AM, Bill Burke <<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a><br></div><div class="">
<mailto:<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>>> wrote:<br>
<br>
How do you obtain the token? Access tokens are created specifically for<br>
the application/oauth client that intiated the token protocol. So the<br>
access token will be stuffed with only the role mappings for that<br>
application/oauth client. A bearer-only application doesn't need a<br>
scope configured because it never initiates a login.<br>
<br>
I changed things in beta 4 to hopefully mitigate the confusion around<br>
"scope". Applications have a full scope enabled by default now.<br>
<br>
On 8/6/2014 9:58 AM, Rodrigo Sasaki wrote:<br>
> Is there any news on this? I tried it on beta-4 on wildfly and I<br>
still<br>
> get the same response.<br>
><br>
><br>
> On Tue, Jul 29, 2014 at 5:56 PM, Rodrigo Sasaki<br>
> <<a href="mailto:rodrigopsasaki@gmail.com" target="_blank">rodrigopsasaki@gmail.com</a> <mailto:<a href="mailto:rodrigopsasaki@gmail.com" target="_blank">rodrigopsasaki@gmail.<u></u>com</a>><br></div>
<mailto:<a href="mailto:rodrigopsasaki@gmail.com" target="_blank">rodrigopsasaki@gmail.<u></u>com</a> <mailto:<a href="mailto:rodrigopsasaki@gmail.com" target="_blank">rodrigopsasaki@gmail.<u></u>com</a>>>><div class="">
<br>
wrote:<br>
><br>
> I made sure of all that, I just recreated everything using realm<br>
> roles just for the sake of completeness, but I'm still<br>
getting a 403<br>
><br>
><br>
> On Tue, Jul 29, 2014 at 4:09 PM, Vivek Srivastav (vivsriva)<br>
> <<a href="mailto:vivsriva@cisco.com" target="_blank">vivsriva@cisco.com</a> <mailto:<a href="mailto:vivsriva@cisco.com" target="_blank">vivsriva@cisco.com</a>><br></div><div><div class="h5">
<mailto:<a href="mailto:vivsriva@cisco.com" target="_blank">vivsriva@cisco.com</a> <mailto:<a href="mailto:vivsriva@cisco.com" target="_blank">vivsriva@cisco.com</a>>>> wrote:<br>
><br>
> Make sure you have the following settings configured for your<br>
> database service:<br>
><br>
><br>
><br>
><br>
><br>
> In the web.xml, make sure you have the security setup<br>
with the<br>
> appropriate user role:<br>
> <?xml version="1.0" encoding="UTF-8"?><br>
> <web-app xmlns="<a href="http://java.sun.com/xml/ns/javaee" target="_blank">http://java.sun.com/<u></u>xml/ns/javaee</a>"<br>
> xmlns:xsi="<a href="http://www.w3.org/2001/XMLSchema-instance" target="_blank">http://www.w3.org/<u></u>2001/XMLSchema-instance</a>"<br>
> xsi:schemaLocation="<a href="http://java.sun.com/xml/ns/javaee" target="_blank">http://<u></u>java.sun.com/xml/ns/javaee</a><br>
> <a href="http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" target="_blank">http://java.sun.com/xml/ns/<u></u>javaee/web-app_3_0.xsd</a>"<br>
> version="3.0"><br>
><br>
> <module-name>database</module-<u></u>name><br>
> <security-constraint><br>
> <web-resource-collection><br>
> <url-pattern>/*</url-pattern><br>
> </web-resource-collection><br>
> <!-- <user-data-constraint><br>
><br>
<transport-guarantee><u></u>CONFIDENTIAL</transport-<u></u>guarantee><br>
> </user-data-constraint> --><br>
> <auth-constraint><br>
> <role-name>user</role-name><br>
> </auth-constraint><br>
> </security-constraint><br>
><br>
> <login-config><br>
> <auth-method>KEYCLOAK</auth-<u></u>method><br>
> <realm-name>demo</realm-name><br>
> </login-config><br>
><br>
> <security-role><br>
> <role-name>user</role-name><br>
> </security-role><br>
> </web-app><br>
><br>
><br>
><br>
> From: Rodrigo Sasaki <<a href="mailto:rodrigopsasaki@gmail.com" target="_blank">rodrigopsasaki@gmail.com</a><br>
<mailto:<a href="mailto:rodrigopsasaki@gmail.com" target="_blank">rodrigopsasaki@gmail.<u></u>com</a>><br></div></div>
> <mailto:<a href="mailto:rodrigopsasaki@gmail.com" target="_blank">rodrigopsasaki@gmail.<u></u>com</a><div class=""><br>
<mailto:<a href="mailto:rodrigopsasaki@gmail.com" target="_blank">rodrigopsasaki@gmail.<u></u>com</a>>>><br>
> Date: Tuesday, July 29, 2014 at 12:51 PM<br>
> To: Bill Burke <<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a><br></div>
<mailto:<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>> <mailto:<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a><div class=""><br>
<mailto:<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>>>><br>
> Cc: "<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<mailto:<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.<u></u>jboss.org</a>><br></div>
> <mailto:<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.<u></u>jboss.org</a><div class=""><br>
<mailto:<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.<u></u>jboss.org</a>>>"<br>
> <<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<mailto:<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.<u></u>jboss.org</a>><br></div>
> <mailto:<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.<u></u>jboss.org</a><div class=""><br>
<mailto:<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.<u></u>jboss.org</a>>>><br>
> Subject: Re: [keycloak-user] Bearer Only Application<br>
access with<br>
> token<br>
><br>
> It is defined under the application itself, so I it's<br>
under the<br>
> scope. This should be working right?<br>
><br>
><br>
> On Tue, Jul 29, 2014 at 11:59 AM, Bill Burke<br>
<<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a> <mailto:<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>><br></div><div><div class="h5">
> <mailto:<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a> <mailto:<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>>>> wrote:<br>
><br>
> What kind of role is it? Is the new role defined<br>
under the<br>
> "database-service" application? If not, then you<br>
must add<br>
> this role to<br>
> the "database-service"'s scope in the admin console.<br>
><br>
> On 7/29/2014 10:51 AM, Rodrigo Sasaki wrote:<br>
> > Hi,<br>
> ><br>
> > I'm trying to secure a bearer-only application with<br>
keycloak, to access<br>
> > it with access tokens, but I think I'm missing<br>
something.<br>
> ><br>
> > I tried it with the database-service of the<br>
unconfigured demo.<br>
> ><br>
> > 1. I created the user role in the application.<br>
> > 2. I assigned that role to my user<br>
> > 3. I copied the contents of the installation json to<br>
> > *webapp/META-INF/keycloak.<u></u>json*<br>
> ><br>
> > {<br>
> > "realm": "demo",<br>
> > "realm-public-key":<br>
> ><br>
"<u></u>MIGfMA0GCSqGSIb3DQEBAQUAA4GNAD<u></u>CBiQKBgQCwRayjzh7W+<u></u>EfPaeSdyXWLyXof7c3fwD7vb0AEtG+<u></u>ogLHtMkYiTdX9y/<u></u>JXOmXwWDzGhx7NM3Q6vkCG0F3lZqOV<u></u>sSlYH56c5+Ev4QmSGK/+6e+<u></u>WcZMcgmscoz1OoXKom4+<u></u>pzqMey42hqdwwMhkvCq/<u></u>jxJSmUGnZJQuqEKVH00NZ1wIDAQAB"<u></u>,<br>
> > "bearer-only": true,<br>
> > "ssl-not-required": true,<br>
> > "resource": "database-service",<br>
> > "use-resource-role-mappings": true<br>
> > }<br>
> ><br>
> > 4. Set the auth-method to *KEYCLOAK* on web.xml<br>
> > 5. Started the server deploying the *database-service*<br>
> > 6. Generated a token using *security-admin-console*<br>
client_id and my user<br>
> > 7. Submitted a GET request to<br>
/localhost:8080/database/<u></u>customers/<br>
> ><br>
> > After these steps I get a 403 error, saying that<br>
I'm not authorized to<br>
> > access the resource, wasn't this supposed to work?<br>
> ><br>
> > --<br>
> > Rodrigo Sasaki<br>
> ><br>
> ><br>
> > ______________________________<u></u>_________________<br>
> > keycloak-user mailing list<br>
> ><a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<mailto:<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.<u></u>jboss.org</a>><br></div></div>
> <mailto:<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.<u></u>jboss.org</a><div class=""><br>
<mailto:<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.<u></u>jboss.org</a>>><br>
> ><a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/<u></u>mailman/listinfo/keycloak-user</a><br>
> ><br>
><br>
> --<br>
> Bill Burke<br>
> JBoss, a division of Red Hat<br>
> <a href="http://bill.burkecentral.com" target="_blank">http://bill.burkecentral.com</a><br>
> ______________________________<u></u>_________________<br>
> keycloak-user mailing list<br>
> <a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a> <mailto:<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.<u></u>jboss.org</a>><br>
</div>
> <mailto:<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.<u></u>jboss.org</a><div class=""><br>
<mailto:<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.<u></u>jboss.org</a>>><br>
> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/<u></u>mailman/listinfo/keycloak-user</a><br>
><br>
><br>
><br>
><br>
> --<br>
> Rodrigo Sasaki<br>
><br>
><br>
><br>
><br>
> --<br>
> Rodrigo Sasaki<br>
><br>
><br>
><br>
><br>
> --<br>
> Rodrigo Sasaki<br>
><br>
><br>
> ______________________________<u></u>_________________<br>
> keycloak-user mailing list<br></div>
> <a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a> <mailto:<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.<u></u>jboss.org</a>><div class="">
<br>
> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/<u></u>mailman/listinfo/keycloak-user</a><br>
><br>
<br>
--<br>
Bill Burke<br>
JBoss, a division of Red Hat<br>
<a href="http://bill.burkecentral.com" target="_blank">http://bill.burkecentral.com</a><br>
______________________________<u></u>_________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a> <mailto:<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.<u></u>jboss.org</a>><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/<u></u>mailman/listinfo/keycloak-user</a><br>
<br>
<br>
<br>
<br>
--<br>
Rodrigo Sasaki<br>
</div></blockquote><div class="HOEnZb"><div class="h5">
<br>
-- <br>
Bill Burke<br>
JBoss, a division of Red Hat<br>
<a href="http://bill.burkecentral.com" target="_blank">http://bill.burkecentral.com</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div dir="ltr"><font face="Times New Roman">Rodrigo Sasaki</font><div></div></div>
</div>