<div dir="ltr">Is there any news on this? I tried it on beta-4 on wildfly and I still get the same response.</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Jul 29, 2014 at 5:56 PM, Rodrigo Sasaki <span dir="ltr"><<a href="mailto:rodrigopsasaki@gmail.com" target="_blank">rodrigopsasaki@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I made sure of all that, I just recreated everything using realm roles just for the sake of completeness, but I'm still getting a 403</div>
<div class="gmail_extra"><div><div class="h5"><br><br><div class="gmail_quote">On Tue, Jul 29, 2014 at 4:09 PM, Vivek Srivastav (vivsriva) <span dir="ltr"><<a href="mailto:vivsriva@cisco.com" target="_blank">vivsriva@cisco.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word;color:rgb(0,0,0);font-size:14px;font-family:Calibri,sans-serif">
<div>Make sure you have the following settings configured for your database service:</div>
<div><br>
</div>
<div><img src="cid:7FB161C8-9169-498E-BE38-35D4735A9146" type="image/png"></div>
<div><br>
</div>
<div><br>
</div>
<div><img src="cid:F53847FE-4703-4AB3-9C06-790DC32B5A75" type="image/png"></div>
<div><br>
</div>
<div><br>
</div>
<div>In the web.xml, make sure you have the security setup with the appropriate user role:</div>
<div>
<div><?xml version="1.0" encoding="UTF-8"?></div>
<div><web-app xmlns="<a href="http://java.sun.com/xml/ns/javaee" target="_blank">http://java.sun.com/xml/ns/javaee</a>"</div>
<div> xmlns:xsi="<a href="http://www.w3.org/2001/XMLSchema-instance" target="_blank">http://www.w3.org/2001/XMLSchema-instance</a>"</div>
<div> xsi:schemaLocation="<a href="http://java.sun.com/xml/ns/javaee" target="_blank">http://java.sun.com/xml/ns/javaee</a> <a href="http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" target="_blank">http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd</a>"</div>
<div> version="3.0"></div>
<div><br>
</div>
<div><span style="white-space:pre-wrap"></span><module-name>database</module-name></div>
<div><span style="white-space:pre-wrap"></span></div>
<div> <security-constraint></div>
<div> <web-resource-collection></div>
<div> <url-pattern>/*</url-pattern></div>
<div> </web-resource-collection></div>
<div><!-- <user-data-constraint></div>
<div> <transport-guarantee>CONFIDENTIAL</transport-guarantee></div>
<div> </user-data-constraint> --></div>
<div> <auth-constraint></div>
<div> <role-name>user</role-name></div>
<div> </auth-constraint></div>
<div> </security-constraint></div>
<div><br>
</div>
<div> <login-config></div>
<div> <auth-method>KEYCLOAK</auth-method></div>
<div> <realm-name>demo</realm-name></div>
<div> </login-config></div>
<div><br>
</div>
<div> <security-role></div>
<div> <role-name>user</role-name></div>
<div> </security-role></div>
<div></web-app></div>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<span>
<div style="font-family:Calibri;font-size:11pt;text-align:left;color:black;BORDER-BOTTOM:medium none;BORDER-LEFT:medium none;PADDING-BOTTOM:0in;PADDING-LEFT:0in;PADDING-RIGHT:0in;BORDER-TOP:#b5c4df 1pt solid;BORDER-RIGHT:medium none;PADDING-TOP:3pt">
<span style="font-weight:bold">From: </span>Rodrigo Sasaki <<a href="mailto:rodrigopsasaki@gmail.com" target="_blank">rodrigopsasaki@gmail.com</a>><br>
<span style="font-weight:bold">Date: </span>Tuesday, July 29, 2014 at 12:51 PM<br>
<span style="font-weight:bold">To: </span>Bill Burke <<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>><br>
<span style="font-weight:bold">Cc: </span>"<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>" <<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>><br>
<span style="font-weight:bold">Subject: </span>Re: [keycloak-user] Bearer Only Application access with token<br>
</div><div><div>
<div><br>
</div>
<div>
<div>
<div dir="ltr">It is defined under the application itself, so I it's under the scope. This should be working right?</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Tue, Jul 29, 2014 at 11:59 AM, Bill Burke <span dir="ltr">
<<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
What kind of role is it? Is the new role defined under the<br>
"database-service" application? If not, then you must add this role to<br>
the "database-service"'s scope in the admin console.<br>
<div><br>
On 7/29/2014 10:51 AM, Rodrigo Sasaki wrote:<br>
> Hi,<br>
><br>
> I'm trying to secure a bearer-only application with keycloak, to access<br>
> it with access tokens, but I think I'm missing something.<br>
><br>
> I tried it with the database-service of the unconfigured demo.<br>
><br>
> 1. I created the user role in the application.<br>
> 2. I assigned that role to my user<br>
> 3. I copied the contents of the installation json to<br>
</div>
> *webapp/META-INF/keycloak.json*<br>
<div>><br>
> {<br>
> "realm": "demo",<br>
> "realm-public-key":<br>
> "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCwRayjzh7W+EfPaeSdyXWLyXof7c3fwD7vb0AEtG+ogLHtMkYiTdX9y/JXOmXwWDzGhx7NM3Q6vkCG0F3lZqOVsSlYH56c5+Ev4QmSGK/+6e+WcZMcgmscoz1OoXKom4+pzqMey42hqdwwMhkvCq/jxJSmUGnZJQuqEKVH00NZ1wIDAQAB",<br>
> "bearer-only": true,<br>
> "ssl-not-required": true,<br>
> "resource": "database-service",<br>
> "use-resource-role-mappings": true<br>
> }<br>
><br>
</div>
> 4. Set the auth-method to *KEYCLOAK* on web.xml<br>
> 5. Started the server deploying the *database-service*<br>
> 6. Generated a token using *security-admin-console* client_id and my user<br>
> 7. Submitted a GET request to /localhost:8080/database/customers/<br>
<div>><br>
> After these steps I get a 403 error, saying that I'm not authorized to<br>
> access the resource, wasn't this supposed to work?<br>
><br>
> --<br>
> Rodrigo Sasaki<br>
><br>
><br>
</div>
> _______________________________________________<br>
> keycloak-user mailing list<br>
> <a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">
https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
><br>
<span><font color="#888888"><br>
--<br>
Bill Burke<br>
JBoss, a division of Red Hat<br>
<a href="http://bill.burkecentral.com" target="_blank">http://bill.burkecentral.com</a><br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</font></span></blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div dir="ltr"><font face="Times New Roman">Rodrigo Sasaki</font>
<div></div>
</div>
</div>
</div>
</div>
</div></div></span>
</div>
</blockquote></div><br><br clear="all"><div><br></div></div></div><span class="HOEnZb"><font color="#888888">-- <br><div dir="ltr"><font face="Times New Roman">Rodrigo Sasaki</font><div></div></div>
</font></span></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div dir="ltr"><font face="Times New Roman">Rodrigo Sasaki</font><div></div></div>
</div>