<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Hi Stian<div class=""><br class=""></div><div class="">I worked it out.</div><div class=""><br class=""></div><div class="">I had removed and re-added the user role from the realm after my user had registered. It seems that the default role is assigned at registration time and so if you change it that change is not reflected in existing users.</div><div class=""><br class=""></div><div class="">A surprising behaviour, but I can sort of see why that is.</div><div class=""><br class=""></div><div class="">Conrad</div><div class=""><br class=""></div><div class=""><br class=""><div><blockquote type="cite" class=""><div class="">On 22 Sep 2014, at 18:22, Conrad Winchester <<a href="mailto:conrad@mindless.com" class="">conrad@mindless.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" content="text/html charset=utf-8" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class="">Hi Stian</div><div class=""><br class=""></div><div class="">I have made some progress. I have discovered that if I assign the role ‘user’ to my user account in the ‘role mappings’ section of the keycloak admin screens for that user then access to the resources work. The access token looks like this</div><div class=""><br class=""></div><div class=""><div style="margin: 0px; font-family: 'Andale Mono'; color: rgb(41, 249, 20); background-color: rgb(0, 0, 0);" class="">2014-09-22 18:13:01,057 INFO [com.shift.service.oauth.KeycloakAuthAdapter] (default task-15) Logged in with access token {"name":"shift_141 not provided","email":"<a href="mailto:conrad@chiwestern.com" class="">conrad@chiwestern.com</a>","jti":"997e2a5c-389a-4b57-8a2b-669fcda587f7","exp":1411406281,"nbf":0,"iat":1411405981,"iss":"shift","aud":"shift","sub":"9cff1b29-fb58-4b53-b4ce-ac79eb355843","azp":"shift-ios","given_name":"shift_141","family_name":"not provided","preferred_username":"<a href="mailto:conrad@chiwestern.com" class="">conrad@chiwestern.com</a>","email_verified":false,"session_state":"e0ae4a87-18d1-446a-805e-ad9334a1d648","allowed-origins":[],"realm_access":{"roles":["user"]},"resource_access":{}}</div></div><div class=""><br class=""></div><div class="">I get roles:[user]</div><div class=""><br class=""></div><div class="">Isn’t this supposed to happen automatically if the role ‘user’ is the default realm role?</div><div class=""><br class=""></div><div class="">Thanks</div><div class=""><br class=""></div><div class="">Conrad</div><div class=""><br class=""></div><br class=""><div class=""><blockquote type="cite" class=""><div class="">On 22 Sep 2014, at 14:32, Conrad Winchester <<a href="mailto:conrad@mindless.com" class="">conrad@mindless.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" content="text/html charset=utf-8" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class="">Hi Stian</div><div class=""><br class=""></div><div class="">I am loggin in using the direct grant rest end point with client id as shift-ios</div><div class=""><br class=""></div><div class="">The token I get back looks like this</div><div class=""><br class=""></div><div class=""><div style="margin: 0px; font-family: 'Andale Mono'; color: rgb(41, 249, 20); background-color: rgb(0, 0, 0);" class="">2014-09-22 14:25:34,795 INFO [com.shift.service.oauth.KeycloakAuthAdapter] (default task-1) Logged in with access token {"jti":"c78a0ec1-54fe-40c4-a2c7-d8e58129bf22","exp":1411392634,"nbf":0,"iat":1411392334,"iss":"shift","aud":"shift","sub":"9cff1b29-fb58-4b53-b4ce-ac79eb355843","azp":"shift-ios","session_state":"cc0559f9-78a2-4951-afac-48bee4fa9a23","allowed-origins":[],"resource_access":{}}</div></div><div class=""><br class=""></div>Does that help?<div class=""><br class=""></div><div class="">Thanks</div><div class=""><br class=""></div><div class="">Conrad<br class=""><div class=""><br class=""><blockquote type="cite" class=""><div class="">On 22 Sep 2014, at 13:28, Stian Thorgersen <<a href="mailto:stian@redhat.com" class="">stian@redhat.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">How do you obtain the token? It seems you have two different ways to do this <br class=""><br class="">1) login using KC forms with 'shift-server'<br class="">2) login using direct grant with 'shift-ios'<br class=""><br class="">Is this correct? If so both 'shift-server' and 'shift-ios' has to have a scope on the 'user' realm role. With 'shift-ios' as you're not using any of our adapters you don't need to install the client json for that anywhere. You obviously do need the json config for 'shift-server' (or use the WildFly subsystem to configure through standalone.xml).<br class=""><br class="">If you have the bearer token available you can check the contents of it with:<br class=""><br class=""> System.out.println(new org.keycloak.jose.jws.JWSInput(token).readContentAsString());<br class=""><br class="">It would be helpful if you could send that to me.<br class=""><br class="">----- Original Message -----<br class=""><blockquote type="cite" class="">From: "Conrad Winchester" <<a href="mailto:conrad@mindless.com" class="">conrad@mindless.com</a>><br class="">To: "Conrad Winchester" <<a href="mailto:conrad@mindless.com" class="">conrad@mindless.com</a>><br class="">Cc: <a href="mailto:keycloak-user@lists.jboss.org" class="">keycloak-user@lists.jboss.org</a><br class="">Sent: Monday, 22 September, 2014 12:17:43 PM<br class="">Subject: Re: [keycloak-user] 1.0.1 Problems & Questions<br class=""><br class="">I have now also tried using application roles, but unfortunately that did not<br class="">change the behaviour at all.<br class=""><br class="">Am I supposed to install the client JSON file anywhere?<br class=""><br class="">Conrad<br class=""><br class=""><br class=""><br class=""><br class=""><br class="">On 22 Sep 2014, at 09:29, Conrad Winchester < <a href="mailto:conrad@mindless.com" class="">conrad@mindless.com</a> > wrote<br class=""><br class="">Thanks for this very informative answer.<br class=""><br class="">I will stick with the application being confidential as you have explained<br class="">that this is more correct.<br class=""><br class="">However, WRT roles.<br class=""><br class="">I have a realm role defined as ‘user’<br class="">The client Has this role as an ‘Effective role’ in the admin screens. Full<br class="">scope allowed is off, and there are no application roles assigned (nor are<br class="">they available)<br class="">I have the following in my web.xml<br class=""><br class=""><security-constraint><br class=""><web-resource-collection><br class=""><web-resource-name> shift </web-resource-name><br class=""><url-pattern> /* </url-pattern><br class=""></web-resource-collection><br class=""><auth-constraint><br class=""><role-name> user </role-name><br class=""></auth-constraint><br class=""></security-constraint><br class="">and<br class=""><br class=""><login-config><br class=""><auth-method> KEYCLOAK </auth-method><br class=""><realm-name> shift </realm-name><br class=""></login-config><br class=""><br class=""><security-role><br class=""><role-name> user </role-name><br class=""></security-role><br class="">Is this correct? Have I missed something.<br class=""><br class="">BTW Thanks for the help and thanks for Keycloak - It really is awesome!<br class=""><br class="">Conrad<br class=""><br class=""><br class=""><br class=""><br class="">On 22 Sep 2014, at 09:05, Stian Thorgersen < <a href="mailto:stian@redhat.com" class="">stian@redhat.com</a> > wrote:<br class=""><br class=""><br class=""><br class="">----- Original Message -----<br class=""><br class=""><br class="">From: "Conrad Winchester" < <a href="mailto:conrad@mindless.com" class="">conrad@mindless.com</a> ><br class="">To: <a href="mailto:keycloak-user@lists.jboss.org" class="">keycloak-user@lists.jboss.org</a><br class="">Sent: Monday, 22 September, 2014 8:45:11 AM<br class="">Subject: [keycloak-user] 1.0.1 Problems & Questions<br class=""><br class="">Hi all,<br class=""><br class="">I have just upgrade from 1.0-beta 3 to 1.0.1 final and am running into some<br class="">serious issues.<br class=""><br class="">First a question: when will keycloak-core 1.0.1 be available from maven<br class="">central? I am having to use 1.0-final in my war - is that compatible with<br class="">1.0.1 keycloak war - which is running on my server.<br class=""><br class="">Should have been there by now (it should be synced within 24h of a release),<br class="">I've contacted the guys in charge to figure out what's going on. In the mean<br class="">time you could add JBoss Nexus (<br class=""><a href="https://developer.jboss.org/wiki/MavenRepository" class="">https://developer.jboss.org/wiki/MavenRepository</a> ) and get it from there.<br class=""><br class=""><br class=""><br class=""><br class="">I upgraded by doing a complete wipe of the keycloak database, and<br class="">reinstalling 1.0.1 over my wildly configuration. I am able to use the<br class="">keycloak admin screens flawlessly.<br class=""><br class="">Now onto my problem.<br class=""><br class="">In 1.0.3-beta I used to have a access type bearer-only application which used<br class="">the rest api to register and login users to keycloak.<br class=""><br class="">After upgrading I have found that even if I set the application to be<br class="">bearer-only, keycloak still throws an invalid redirect uri error whenever I<br class="">try to use the rest end points (surely this should not happen with a<br class="">bearer-only application). In order to fix this I have moved the application<br class="">over to access type confidential (it is sitting on the same server as<br class="">keycloak) - are there any pointers to the correct config for this in 1.0.1?<br class="">Basically my application is the backend to a mobile app that is using<br class="">keycloak for access control - at the moment I am not allowed to use the<br class="">keycloak login/register screens so must proxy it through the server. I am<br class="">now able to register users using this configuration, but would prefer to go<br class="">back to bearer-only<br class=""><br class="">Bearer-only applications should not be able to register or login users at<br class="">all, they should only be able to authenticate using bearer tokens.<br class=""><br class=""><br class=""><br class=""><br class="">I also have a Direct Grant Only client which I use for the mobile application<br class="">itself. I am able to get an access token by using the<br class="">TOKEN_SERVICE_DIRECT_GRANT_PATH via the proxy server but when I try to<br class="">access a resource with that bearer token set in the header I am still<br class="">getting an unauthorised response.<br class=""><br class="">My applications keycloak.json looks like this<br class=""><br class="">{<br class="">"realm" : "shift" ,<br class="">"realm-public-key" : “ **" ,<br class="">"auth-server-url" : " <a href="http://.../auth" class="">http://.../auth</a> " ,<br class="">"ssl-required" : "none" ,<br class="">"resource" : "shift-server" ,<br class="">"credentials" : {<br class="">"secret" : “ **"<br class="">}<br class="">}<br class=""><br class="">and my client JSON looks like this (although this is not put anywhere in my<br class="">application war)<br class=""><br class="">{<br class="">"realm": "shift",<br class="">"realm-public-key": “***",<br class="">"auth-server-url": " <a href="http://.../auth" class="">http://.../auth</a> ",<br class="">"ssl-required": "none",<br class="">"resource": "shift-ios",<br class="">"public-client": true<br class="">}<br class=""><br class="">I can login in with a correct username and password setting the client id to<br class="">‘shift-ios’. However when I try to access a protected resource like this<br class=""><br class="">GET /shift/feed HTTP/1.1<br class="">Host: www…..com<br class="">Connection: keep-alive<br class="">Accept: */*<br class="">User-Agent: shift-ios-client/1.0 CFNetwork/711.0.6 Darwin/14.0.0<br class="">Accept-Language: en-us<br class="">Authorization: Bearer<br class="">eyJhbGciOiJSUzI1NiJ9.eyJuYW………...5lXDBvPGu3bI7msV6Xh34g2PG1E2-d0GchWLFb4kGWofDbexDgIJoP1eeSHnKmahAHHbcl_LZkI3ayKYCgF-o3vfk0yh4T-zptEdK1EHFDndz4SkJlrPsyawueekf1mJD-drilFlL55nLIfFqjpaNdQDr5R3lAjUb0<br class="">Accept-Encoding: gzip, deflate<br class=""><br class="">where the Bearer header is the access token I get from logging in, then I get<br class="">a 403 unauthorised response.<br class=""><br class="">From a 403 it should mean that the application has successfully authenticated<br class="">the user, but it doesn't have the correct roles.<br class=""><br class="">Have you checked that the application you used to obtain the login has the<br class="">required scope, that the user has the required role mappings, and that your<br class="">bearer-only application is configured to use the correct roles (it can use<br class="">either the roles associated with the resource or the realm,<br class="">'use-resource-role-mappings' configures this and it defaults to false, which<br class="">mean it uses realm roles).<br class=""><br class=""><br class=""><br class=""><br class="">This used to work perfectly in beta 3, but I seem unable to make this work in<br class="">1.0(.1) final.<br class=""><br class="">Could this be because I am using 1.0-core instead of 1.0.1-core<br class=""><br class="">Please help, as this has stopped all work on the product, and I am completely<br class="">stuck. Whats the best way to go about debugging this?<br class=""><br class="">Conrad<br class=""><br class=""><br class="">_______________________________________________<br class="">keycloak-user mailing list<br class=""><a href="mailto:keycloak-user@lists.jboss.org" class="">keycloak-user@lists.jboss.org</a><br class=""><a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" class="">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br class=""><br class="">_______________________________________________<br class="">keycloak-user mailing list<br class=""><a href="mailto:keycloak-user@lists.jboss.org" class="">keycloak-user@lists.jboss.org</a><br class="">https://lists.jboss.org/mailman/listinfo/keycloak-user<br class=""><br class=""><br class="">_______________________________________________<br class="">keycloak-user mailing list<br class="">keycloak-user@lists.jboss.org<br class="">https://lists.jboss.org/mailman/listinfo/keycloak-user<br class=""></blockquote></div></blockquote></div><br class=""></div></div>_______________________________________________<br class="">keycloak-user mailing list<br class=""><a href="mailto:keycloak-user@lists.jboss.org" class="">keycloak-user@lists.jboss.org</a><br class=""><a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" class="">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></div></blockquote></div><br class=""></div>_______________________________________________<br class="">keycloak-user mailing list<br class=""><a href="mailto:keycloak-user@lists.jboss.org" class="">keycloak-user@lists.jboss.org</a><br class="">https://lists.jboss.org/mailman/listinfo/keycloak-user</div></blockquote></div><br class=""></div></body></html>