<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class="">Hi Stian</div><div class=""><br class=""></div><div class="">I am loggin in using the direct grant rest end point with client id as shift-ios</div><div class=""><br class=""></div><div class="">The token I get back looks like this</div><div class=""><br class=""></div><div class=""><div style="margin: 0px; font-family: 'Andale Mono'; color: rgb(41, 249, 20); background-color: rgb(0, 0, 0);" class="">2014-09-22 14:25:34,795 INFO [com.shift.service.oauth.KeycloakAuthAdapter] (default task-1) Logged in with access token {"jti":"c78a0ec1-54fe-40c4-a2c7-d8e58129bf22","exp":1411392634,"nbf":0,"iat":1411392334,"iss":"shift","aud":"shift","sub":"9cff1b29-fb58-4b53-b4ce-ac79eb355843","azp":"shift-ios","session_state":"cc0559f9-78a2-4951-afac-48bee4fa9a23","allowed-origins":[],"resource_access":{}}</div></div><div class=""><br class=""></div>Does that help?<div class=""><br class=""></div><div class="">Thanks</div><div class=""><br class=""></div><div class="">Conrad<br class=""><div><br class=""><blockquote type="cite" class=""><div class="">On 22 Sep 2014, at 13:28, Stian Thorgersen <<a href="mailto:stian@redhat.com" class="">stian@redhat.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">How do you obtain the token? It seems you have two different ways to do this <br class=""><br class="">1) login using KC forms with 'shift-server'<br class="">2) login using direct grant with 'shift-ios'<br class=""><br class="">Is this correct? If so both 'shift-server' and 'shift-ios' has to have a scope on the 'user' realm role. With 'shift-ios' as you're not using any of our adapters you don't need to install the client json for that anywhere. You obviously do need the json config for 'shift-server' (or use the WildFly subsystem to configure through standalone.xml).<br class=""><br class="">If you have the bearer token available you can check the contents of it with:<br class=""><br class=""> System.out.println(new org.keycloak.jose.jws.JWSInput(token).readContentAsString());<br class=""><br class="">It would be helpful if you could send that to me.<br class=""><br class="">----- Original Message -----<br class=""><blockquote type="cite" class="">From: "Conrad Winchester" <<a href="mailto:conrad@mindless.com" class="">conrad@mindless.com</a>><br class="">To: "Conrad Winchester" <<a href="mailto:conrad@mindless.com" class="">conrad@mindless.com</a>><br class="">Cc: <a href="mailto:keycloak-user@lists.jboss.org" class="">keycloak-user@lists.jboss.org</a><br class="">Sent: Monday, 22 September, 2014 12:17:43 PM<br class="">Subject: Re: [keycloak-user] 1.0.1 Problems & Questions<br class=""><br class="">I have now also tried using application roles, but unfortunately that did not<br class="">change the behaviour at all.<br class=""><br class="">Am I supposed to install the client JSON file anywhere?<br class=""><br class="">Conrad<br class=""><br class=""><br class=""><br class=""><br class=""><br class="">On 22 Sep 2014, at 09:29, Conrad Winchester < <a href="mailto:conrad@mindless.com" class="">conrad@mindless.com</a> > wrote<br class=""><br class="">Thanks for this very informative answer.<br class=""><br class="">I will stick with the application being confidential as you have explained<br class="">that this is more correct.<br class=""><br class="">However, WRT roles.<br class=""><br class="">I have a realm role defined as ‘user’<br class="">The client Has this role as an ‘Effective role’ in the admin screens. Full<br class="">scope allowed is off, and there are no application roles assigned (nor are<br class="">they available)<br class="">I have the following in my web.xml<br class=""><br class=""><security-constraint><br class=""><web-resource-collection><br class=""><web-resource-name> shift </web-resource-name><br class=""><url-pattern> /* </url-pattern><br class=""></web-resource-collection><br class=""><auth-constraint><br class=""><role-name> user </role-name><br class=""></auth-constraint><br class=""></security-constraint><br class="">and<br class=""><br class=""><login-config><br class=""><auth-method> KEYCLOAK </auth-method><br class=""><realm-name> shift </realm-name><br class=""></login-config><br class=""><br class=""><security-role><br class=""><role-name> user </role-name><br class=""></security-role><br class="">Is this correct? Have I missed something.<br class=""><br class="">BTW Thanks for the help and thanks for Keycloak - It really is awesome!<br class=""><br class="">Conrad<br class=""><br class=""><br class=""><br class=""><br class="">On 22 Sep 2014, at 09:05, Stian Thorgersen < <a href="mailto:stian@redhat.com" class="">stian@redhat.com</a> > wrote:<br class=""><br class=""><br class=""><br class="">----- Original Message -----<br class=""><br class=""><br class="">From: "Conrad Winchester" < <a href="mailto:conrad@mindless.com" class="">conrad@mindless.com</a> ><br class="">To: <a href="mailto:keycloak-user@lists.jboss.org" class="">keycloak-user@lists.jboss.org</a><br class="">Sent: Monday, 22 September, 2014 8:45:11 AM<br class="">Subject: [keycloak-user] 1.0.1 Problems & Questions<br class=""><br class="">Hi all,<br class=""><br class="">I have just upgrade from 1.0-beta 3 to 1.0.1 final and am running into some<br class="">serious issues.<br class=""><br class="">First a question: when will keycloak-core 1.0.1 be available from maven<br class="">central? I am having to use 1.0-final in my war - is that compatible with<br class="">1.0.1 keycloak war - which is running on my server.<br class=""><br class="">Should have been there by now (it should be synced within 24h of a release),<br class="">I've contacted the guys in charge to figure out what's going on. In the mean<br class="">time you could add JBoss Nexus (<br class=""><a href="https://developer.jboss.org/wiki/MavenRepository" class="">https://developer.jboss.org/wiki/MavenRepository</a> ) and get it from there.<br class=""><br class=""><br class=""><br class=""><br class="">I upgraded by doing a complete wipe of the keycloak database, and<br class="">reinstalling 1.0.1 over my wildly configuration. I am able to use the<br class="">keycloak admin screens flawlessly.<br class=""><br class="">Now onto my problem.<br class=""><br class="">In 1.0.3-beta I used to have a access type bearer-only application which used<br class="">the rest api to register and login users to keycloak.<br class=""><br class="">After upgrading I have found that even if I set the application to be<br class="">bearer-only, keycloak still throws an invalid redirect uri error whenever I<br class="">try to use the rest end points (surely this should not happen with a<br class="">bearer-only application). In order to fix this I have moved the application<br class="">over to access type confidential (it is sitting on the same server as<br class="">keycloak) - are there any pointers to the correct config for this in 1.0.1?<br class="">Basically my application is the backend to a mobile app that is using<br class="">keycloak for access control - at the moment I am not allowed to use the<br class="">keycloak login/register screens so must proxy it through the server. I am<br class="">now able to register users using this configuration, but would prefer to go<br class="">back to bearer-only<br class=""><br class="">Bearer-only applications should not be able to register or login users at<br class="">all, they should only be able to authenticate using bearer tokens.<br class=""><br class=""><br class=""><br class=""><br class="">I also have a Direct Grant Only client which I use for the mobile application<br class="">itself. I am able to get an access token by using the<br class="">TOKEN_SERVICE_DIRECT_GRANT_PATH via the proxy server but when I try to<br class="">access a resource with that bearer token set in the header I am still<br class="">getting an unauthorised response.<br class=""><br class="">My applications keycloak.json looks like this<br class=""><br class="">{<br class="">"realm" : "shift" ,<br class="">"realm-public-key" : “ **" ,<br class="">"auth-server-url" : " <a href="http://.../auth" class="">http://.../auth</a> " ,<br class="">"ssl-required" : "none" ,<br class="">"resource" : "shift-server" ,<br class="">"credentials" : {<br class="">"secret" : “ **"<br class="">}<br class="">}<br class=""><br class="">and my client JSON looks like this (although this is not put anywhere in my<br class="">application war)<br class=""><br class="">{<br class="">"realm": "shift",<br class="">"realm-public-key": “***",<br class="">"auth-server-url": " <a href="http://.../auth" class="">http://.../auth</a> ",<br class="">"ssl-required": "none",<br class="">"resource": "shift-ios",<br class="">"public-client": true<br class="">}<br class=""><br class="">I can login in with a correct username and password setting the client id to<br class="">‘shift-ios’. However when I try to access a protected resource like this<br class=""><br class="">GET /shift/feed HTTP/1.1<br class="">Host: www…..com<br class="">Connection: keep-alive<br class="">Accept: */*<br class="">User-Agent: shift-ios-client/1.0 CFNetwork/711.0.6 Darwin/14.0.0<br class="">Accept-Language: en-us<br class="">Authorization: Bearer<br class="">eyJhbGciOiJSUzI1NiJ9.eyJuYW………...5lXDBvPGu3bI7msV6Xh34g2PG1E2-d0GchWLFb4kGWofDbexDgIJoP1eeSHnKmahAHHbcl_LZkI3ayKYCgF-o3vfk0yh4T-zptEdK1EHFDndz4SkJlrPsyawueekf1mJD-drilFlL55nLIfFqjpaNdQDr5R3lAjUb0<br class="">Accept-Encoding: gzip, deflate<br class=""><br class="">where the Bearer header is the access token I get from logging in, then I get<br class="">a 403 unauthorised response.<br class=""><br class="">From a 403 it should mean that the application has successfully authenticated<br class="">the user, but it doesn't have the correct roles.<br class=""><br class="">Have you checked that the application you used to obtain the login has the<br class="">required scope, that the user has the required role mappings, and that your<br class="">bearer-only application is configured to use the correct roles (it can use<br class="">either the roles associated with the resource or the realm,<br class="">'use-resource-role-mappings' configures this and it defaults to false, which<br class="">mean it uses realm roles).<br class=""><br class=""><br class=""><br class=""><br class="">This used to work perfectly in beta 3, but I seem unable to make this work in<br class="">1.0(.1) final.<br class=""><br class="">Could this be because I am using 1.0-core instead of 1.0.1-core<br class=""><br class="">Please help, as this has stopped all work on the product, and I am completely<br class="">stuck. Whats the best way to go about debugging this?<br class=""><br class="">Conrad<br class=""><br class=""><br class="">_______________________________________________<br class="">keycloak-user mailing list<br class=""><a href="mailto:keycloak-user@lists.jboss.org" class="">keycloak-user@lists.jboss.org</a><br class="">https://lists.jboss.org/mailman/listinfo/keycloak-user<br class=""><br class="">_______________________________________________<br class="">keycloak-user mailing list<br class="">keycloak-user@lists.jboss.org<br class="">https://lists.jboss.org/mailman/listinfo/keycloak-user<br class=""><br class=""><br class="">_______________________________________________<br class="">keycloak-user mailing list<br class="">keycloak-user@lists.jboss.org<br class="">https://lists.jboss.org/mailman/listinfo/keycloak-user<br class=""></blockquote></div></blockquote></div><br class=""></div></body></html>