For your application, does the security constraint require a role? My
guess is that the token does not have the role required by the security
constraint in your application.
On 10/5/16 7:48 AM, java(a)neposoft.com wrote:
This is happening in OAuthRequestAuthenticator.java
code snippet:
===
try {
// For COOKIE store we don't have httpSessionId and single
sign-out won't be available
String httpSessionId = deployment.getTokenStore() ==
TokenStore.SESSION ?
reqAuthenticator.changeHttpSessionId(true) : null;
tokenResponse =
ServerRequest.invokeAccessCodeToToken(deployment, code,
strippedOauthParametersRequestUri, httpSessionId);
} catch (ServerRequest.HttpFailure failure) {
log.error("failed to turn code into token");
log.error("status from server: " + failure.getStatus());
if (failure.getStatus() == 400 && failure.getError() != null) {
log.error(" " + failure.getError());
}
return challenge(403,
OIDCAuthenticationError.Reason.CODE_TO_TOKEN_FAILURE, null);
===
> Further more:
> I am seeing in keycloak logs:
> 07:28:21,115 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator]
> (default task-2) failed to turn code into token
> 07:28:21,117 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator]
> (default task-2) status from server: 403
>
> This is happening after the handshake done with Idp and returned back to
> keycloak oidc.
>
> anyone has any tips.
> Appreciate it.
>
>
>> Hi
>> I'm implementing a solution as shown saml-broker-authentication, trying
>> to
>> protect a war (spring-rest).
>> All configured fine, Keycloak-saml-idp returns fine, am getting a OIDC
>> tocken back from Keycloak , but when it returns back to the URL I was
>> initially hit, I get forbidden.
>> Anyone gone through this pain - any tips? Thank you.
>> John
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user