Re: [keycloak-user] Bearer Only Application access with token

I made sure of all that, I just recreated everything using realm roles just for the sake of completeness, but I'm still getting a 403 On Tue, Jul 29, 2014 at 4:09 PM, Vivek Srivastav (vivsriva) < vivsriva(a)cisco.com&gt; wrote: > Make sure you have the following settings configured for your database > service: > > > > > > In the web.xml, make sure you have the security setup with the > appropriate user role: > <?xml version="1.0" encoding="UTF-8"?> > <web-app xmlns="http://java.sun.com/xml/ns/javaee" > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" > xsi:schemaLocation="http://java.sun.com/xml/ns/javaee > http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" > version="3.0"> > > <module-name>database</module-name> > <security-constraint> > <web-resource-collection> > <url-pattern>/*</url-pattern> > </web-resource-collection> > <!-- <user-data-constraint> > <transport-guarantee>CONFIDENTIAL</transport-guarantee> > </user-data-constraint> --> > <auth-constraint> > <role-name>user</role-name> > </auth-constraint> > </security-constraint> > > <login-config> > <auth-method>KEYCLOAK</auth-method> > <realm-name>demo</realm-name> > </login-config> > > <security-role> > <role-name>user</role-name> > </security-role> > </web-app> > > > > From: Rodrigo Sasaki <rodrigopsasaki(a)gmail.com&gt; > Date: Tuesday, July 29, 2014 at 12:51 PM > To: Bill Burke <bburke(a)redhat.com&gt; > Cc: &quot;keycloak-user(a)lists.jboss.org&quot; <keycloak-user(a)lists.jboss.org&gt; > Subject: Re: [keycloak-user] Bearer Only Application access with token > > It is defined under the application itself, so I it's under the scope. > This should be working right? > > > On Tue, Jul 29, 2014 at 11:59 AM, Bill Burke <bburke(a)redhat.com&gt; wrote: > >> What kind of role is it? Is the new role defined under the >> "database-service" application? If not, then you must add this role to >> the "database-service"'s scope in the admin console. >> >> On 7/29/2014 10:51 AM, Rodrigo Sasaki wrote: >> > Hi, >> > >> > I'm trying to secure a bearer-only application with keycloak, to access >> > it with access tokens, but I think I'm missing something. >> > >> > I tried it with the database-service of the unconfigured demo. >> > >> > 1. I created the user role in the application. >> > 2. I assigned that role to my user >> > 3. I copied the contents of the installation json to >> > *webapp/META-INF/keycloak.json* >> > >> > { >> > "realm": "demo", >> > "realm-public-key": >> > >> "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCwRayjzh7W+EfPaeSdyXWLyXof7c3fwD7vb0AEtG+ogLHtMkYiTdX9y/JXOmXwWDzGhx7NM3Q6vkCG0F3lZqOVsSlYH56c5+Ev4QmSGK/+6e+WcZMcgmscoz1OoXKom4+pzqMey42hqdwwMhkvCq/jxJSmUGnZJQuqEKVH00NZ1wIDAQAB", >> > "bearer-only": true, >> > "ssl-not-required": true, >> > "resource": "database-service", >> > "use-resource-role-mappings": true >> > } >> > >> > 4. Set the auth-method to *KEYCLOAK* on web.xml >> > 5. Started the server deploying the *database-service* >> > 6. Generated a token using *security-admin-console* client_id and my >> user >> > 7. Submitted a GET request to /localhost:8080/database/customers/ >> > >> > After these steps I get a 403 error, saying that I'm not authorized to >> > access the resource, wasn't this supposed to work? >> > >> > -- >> > Rodrigo Sasaki >> > >> > >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user(a)lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > >> >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > > -- > Rodrigo Sasaki > -- Rodrigo Sasaki