Re: [keycloak-user] Is it possible to use a non Keycloak client to call a Keycloak secured Rest services?

Please elaborate on your code to obtain a token. Your client (not user) may not have the scope you need and the token may not be getting set with the desired role mappings. On 7/15/2014 3:15 PM, Christina Lau wrote: > Hi Bill, further to last comment, i.e. although I can get the token, > when I use it to call the same Rest service, I am getting 403 instead. > > I don’t know if this helps or not, but I have also noticed that the > console produced different output: > > *Using non-keycloak client (Did not work - get 403)* > > 15:05:28,228 INFO [org.keycloak.services.resources.TokenService] > (default task-1) no authorization header > 15:05:28,345 INFO [org.keycloak.audit] (default task-1) event=LOGIN, > realmId=ab9527ff-1dbe-4ce1-934c-ee2e1057d8b7, clientId=admin-client, > userId=58cfb6e9-9ff8-45a8-98bb-3a26b341b783, ipAddress=127.0.0.1, > username=roger(a)mailinator.com <mailto:username=roger@mailinator.com>, > response_type=token, auth_method=oauth_credentials, > refresh_token_id=3730424f-a718-4be8-a9fc-a090e5932564, > token_id=dd1bfeaa-54b1-4824-a6fe-d14eb1ae6f97 > 15:05:28,547 INFO [org.keycloak.adapters.RequestAuthenticator] (default > task-2) --> authenticate() > 15:05:28,548 INFO [org.keycloak.adapters.RequestAuthenticator] (default > task-2) try bearer > 15:05:28,566 INFO > [org.keycloak.adapters.RefreshableKeycloakSecurityContext] (default > task-2) checking whether to refresh. > 15:05:28,566 INFO > [org.keycloak.adapters.undertow.KeycloakUndertowAccount] (default > task-2) use realm role mappings > 15:05:28,571 INFO > [org.keycloak.adapters.wildfly.WildflyRequestAuthenticator] (default > task-2) propagate security context to wildfly > 15:05:28,571 INFO [org.keycloak.adapters.RequestAuthenticator] (default > task-2) Bearer AUTHENTICATED > > > *Using keycloak app (similar to customer-cli sample) Work* > > 15:06:30,254 INFO [org.keycloak.services.resources.TokenService] > (default task-1) createLogin() now... > 15:06:39,965 INFO [org.keycloak.audit] (default task-2) event=LOGIN, > realmId=ab9527ff-1dbe-4ce1-934c-ee2e1057d8b7, clientId=hellokeycloak, > userId=58cfb6e9-9ff8-45a8-98bb-3a26b341b783, ipAddress=127.0.0.1, > username=roger(a)mailinator.com <mailto:username=roger@mailinator.com>, > response_type=code, redirect_uri=http://localhost:59999, > auth_method=form, code_id=bd10d4cc-9f99-42df-b984-b92093f5a6af1405451199946 > 15:06:39,966 INFO > [org.keycloak.services.managers.AuthenticationManager] (default > task-2) createLoginCookie > 15:06:39,966 INFO > [org.keycloak.services.managers.AuthenticationManager] (default > task-2) createIdentityToken > 15:06:40,092 INFO [org.keycloak.services.resources.TokenService] > (default task-3) no authorization header > 15:06:40,119 INFO [org.keycloak.audit] (default task-3) > event=CODE_TO_TOKEN, realmId=ab9527ff-1dbe-4ce1-934c-ee2e1057d8b7, > clientId=hellokeycloak, userId=58cfb6e9-9ff8-45a8-98bb-3a26b341b783, > ipAddress=127.0.0.1, > refresh_token_id=476b2f86-3df4-4cf6-8d51-55aa70264346, > code_id=bd10d4cc-9f99-42df-b984-b92093f5a6af1405451199946, > token_id=be0358ab-2c28-4bdc-a95c-681b63095217 > 15:06:46,567 INFO [org.keycloak.adapters.RequestAuthenticator] (default > task-4) --> authenticate() > 15:06:46,568 INFO [org.keycloak.adapters.RequestAuthenticator] (default > task-4) try bearer > 15:06:46,584 INFO > [org.keycloak.adapters.RefreshableKeycloakSecurityContext] (default > task-4) checking whether to refresh. > 15:06:46,584 INFO > [org.keycloak.adapters.undertow.KeycloakUndertowAccount] (default > task-4) use realm role mappings > 15:06:46,589 INFO > [org.keycloak.adapters.wildfly.WildflyRequestAuthenticator] (default > task-4) propagate security context to wildfly > 15:06:46,590 INFO [org.keycloak.adapters.RequestAuthenticator] (default > task-4) Bearer AUTHENTICATED > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com