<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">I have now also tried using application roles, but unfortunately that did not change the behaviour at all.<div class=""><br class=""></div><div class="">Am I supposed to install the client JSON file anywhere?</div><div class=""><br class=""></div><div class="">Conrad</div><div class=""><br class=""></div><div class=""><br class=""><div><blockquote type="cite" class=""><div class="">On 22 Sep 2014, at 09:29, Conrad Winchester <<a href="mailto:conrad@mindless.com" class="">conrad@mindless.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" content="text/html charset=utf-8" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Thanks for this very informative answer.<div class=""><br class=""></div><div class="">I will stick with the application being confidential as you have explained that this is more correct.</div><div class=""><br class=""></div><div class="">However, WRT roles. </div><div class=""><br class=""></div><div class="">I have a realm role defined as ‘user’</div><div class="">The client Has this role as an ‘Effective role’ in the admin screens. Full scope allowed is off, and there are no application roles assigned (nor are they available)</div><div class="">I have the following in my web.xml</div><div class=""><br class=""></div><div class=""><pre style="background-color:#2b2b2b;color:#a9b7c6;font-family:'Menlo';font-size:12pt;" class=""><span style="color:#e8bf6a;" class=""><security-constraint><br class=""></span><span style="color:#e8bf6a;" class=""> <web-resource-collection><br class=""></span><span style="color:#e8bf6a;" class=""> <web-resource-name></span>shift<span style="color:#e8bf6a;" class=""></web-resource-name><br class=""></span><span style="color:#e8bf6a;" class=""> <url-pattern></span>/*<span style="color:#e8bf6a;" class=""></url-pattern><br class=""></span><span style="color:#e8bf6a;" class=""> </web-resource-collection><br class=""></span><span style="color:#e8bf6a;" class=""> <auth-constraint><br class=""></span><span style="color:#e8bf6a;" class=""> <role-name></span>user<span style="color:#e8bf6a;" class=""></role-name><br class=""></span><span style="color:#e8bf6a;" class=""> </auth-constraint><br class=""></span><span style="color:#e8bf6a;" class=""></security-constraint></span></pre><div class="">and</div></div><div class=""><br class=""></div><div class=""><pre style="background-color:#2b2b2b;color:#a9b7c6;font-family:'Menlo';font-size:12pt;" class=""><span style="color:#e8bf6a;" class=""><login-config><br class=""></span><span style="color:#e8bf6a;" class=""> <auth-method></span>KEYCLOAK<span style="color:#e8bf6a;" class=""></auth-method><br class=""></span><span style="color:#e8bf6a;" class=""> <realm-name></span>shift<span style="color:#e8bf6a;" class=""></realm-name><br class=""></span><span style="color:#e8bf6a;" class=""></login-config><br class=""></span><span style="color:#e8bf6a;" class=""><br class=""></span><span style="color:#e8bf6a;" class=""><security-role><br class=""></span><span style="color:#e8bf6a;" class=""> <role-name></span>user<span style="color:#e8bf6a;" class=""></role-name><br class=""></span><span style="color:#e8bf6a;" class=""></security-role></span></pre><div class="">Is this correct? Have I missed something.</div></div><div class=""><br class=""></div><div class="">BTW Thanks for the help and thanks for Keycloak - It really is awesome!</div><div class=""><br class=""></div><div class="">Conrad</div><div class=""><br class=""><div class=""><blockquote type="cite" class=""><div class="">On 22 Sep 2014, at 09:05, Stian Thorgersen <<a href="mailto:stian@redhat.com" class="">stian@redhat.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><span style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">----- Original Message -----</span><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><blockquote type="cite" style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">From: "Conrad Winchester" <<a href="mailto:conrad@mindless.com" class="">conrad@mindless.com</a>><br class="">To:<span class="Apple-converted-space"> </span><a href="mailto:keycloak-user@lists.jboss.org" class="">keycloak-user@lists.jboss.org</a><br class="">Sent: Monday, 22 September, 2014 8:45:11 AM<br class="">Subject: [keycloak-user] 1.0.1 Problems & Questions<br class=""><br class="">Hi all,<br class=""><br class="">I have just upgrade from 1.0-beta 3 to 1.0.1 final and am running into some<br class="">serious issues.<br class=""><br class="">First a question: when will keycloak-core 1.0.1 be available from maven<br class="">central? I am having to use 1.0-final in my war - is that compatible with<br class="">1.0.1 keycloak war - which is running on my server.<br class=""></blockquote><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><span style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">Should have been there by now (it should be synced within 24h of a release), I've contacted the guys in charge to figure out what's going on. In the mean time you could add JBoss Nexus (</span><a href="https://developer.jboss.org/wiki/MavenRepository" style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">https://developer.jboss.org/wiki/MavenRepository</a><span style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">) and get it from there.</span><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><blockquote type="cite" style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><br class="">I upgraded by doing a complete wipe of the keycloak database, and<br class="">reinstalling 1.0.1 over my wildly configuration. I am able to use the<br class="">keycloak admin screens flawlessly.<br class=""><br class="">Now onto my problem.<br class=""><br class="">In 1.0.3-beta I used to have a access type bearer-only application which used<br class="">the rest api to register and login users to keycloak.<br class=""><br class="">After upgrading I have found that even if I set the application to be<br class="">bearer-only, keycloak still throws an invalid redirect uri error whenever I<br class="">try to use the rest end points (surely this should not happen with a<br class="">bearer-only application). In order to fix this I have moved the application<br class="">over to access type confidential (it is sitting on the same server as<br class="">keycloak) - are there any pointers to the correct config for this in 1.0.1?<br class="">Basically my application is the backend to a mobile app that is using<br class="">keycloak for access control - at the moment I am not allowed to use the<br class="">keycloak login/register screens so must proxy it through the server. I am<br class="">now able to register users using this configuration, but would prefer to go<br class="">back to bearer-only<br class=""></blockquote><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><span style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">Bearer-only applications should not be able to register or login users at all, they should only be able to authenticate using bearer tokens.</span><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><blockquote type="cite" style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><br class="">I also have a Direct Grant Only client which I use for the mobile application<br class="">itself. I am able to get an access token by using the<br class="">TOKEN_SERVICE_DIRECT_GRANT_PATH via the proxy server but when I try to<br class="">access a resource with that bearer token set in the header I am still<br class="">getting an unauthorised response.<br class=""><br class="">My applications keycloak.json looks like this<br class=""><br class="">{<br class="">"realm" : "shift" ,<br class="">"realm-public-key" : “ **" ,<br class="">"auth-server-url" : " <a href="http://.../auth" class="">http://.../auth</a> " ,<br class="">"ssl-required" : "none" ,<br class="">"resource" : "shift-server" ,<br class="">"credentials" : {<br class="">"secret" : “ **"<br class="">}<br class="">}<br class=""><br class="">and my client JSON looks like this (although this is not put anywhere in my<br class="">application war)<br class=""><br class="">{<br class="">"realm": "shift",<br class="">"realm-public-key": “***",<br class="">"auth-server-url": " <a href="http://.../auth" class="">http://.../auth</a> ",<br class="">"ssl-required": "none",<br class="">"resource": "shift-ios",<br class="">"public-client": true<br class="">}<br class=""><br class="">I can login in with a correct username and password setting the client id to<br class="">‘shift-ios’. However when I try to access a protected resource like this<br class=""><br class="">GET /shift/feed HTTP/1.1<br class="">Host: www…..com<br class="">Connection: keep-alive<br class="">Accept: */*<br class="">User-Agent: shift-ios-client/1.0 CFNetwork/711.0.6 Darwin/14.0.0<br class="">Accept-Language: en-us<br class="">Authorization: Bearer<br class="">eyJhbGciOiJSUzI1NiJ9.eyJuYW………...5lXDBvPGu3bI7msV6Xh34g2PG1E2-d0GchWLFb4kGWofDbexDgIJoP1eeSHnKmahAHHbcl_LZkI3ayKYCgF-o3vfk0yh4T-zptEdK1EHFDndz4SkJlrPsyawueekf1mJD-drilFlL55nLIfFqjpaNdQDr5R3lAjUb0<br class="">Accept-Encoding: gzip, deflate<br class=""><br class="">where the Bearer header is the access token I get from logging in, then I get<br class="">a 403 unauthorised response.<br class=""></blockquote><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><span style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">From a 403 it should mean that the application has successfully authenticated the user, but it doesn't have the correct roles.</span><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><span style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">Have you checked that the application you used to obtain the login has the required scope, that the user has the required role mappings, and that your bearer-only application is configured to use the correct roles (it can use either the roles associated with the resource or the realm, 'use-resource-role-mappings' configures this and it defaults to false, which mean it uses realm roles).</span><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><blockquote type="cite" style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><br class="">This used to work perfectly in beta 3, but I seem unable to make this work in<br class="">1.0(.1) final.<br class=""><br class="">Could this be because I am using 1.0-core instead of 1.0.1-core<br class=""><br class="">Please help, as this has stopped all work on the product, and I am completely<br class="">stuck. Whats the best way to go about debugging this?<br class=""><br class="">Conrad<br class=""><br class=""><br class="">_______________________________________________<br class="">keycloak-user mailing list<br class=""><a href="mailto:keycloak-user@lists.jboss.org" class="">keycloak-user@lists.jboss.org</a><br class=""><a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" class="">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></blockquote></div></blockquote></div><br class=""></div></div>_______________________________________________<br class="">keycloak-user mailing list<br class=""><a href="mailto:keycloak-user@lists.jboss.org" class="">keycloak-user@lists.jboss.org</a><br class="">https://lists.jboss.org/mailman/listinfo/keycloak-user</div></blockquote></div><br class=""></div></body></html>