Re: [keycloak-user] keycloak 403 forbidden error while accessing rest resource where as evaluate api shows permit

Thanks Pedro for quick turnaround. I have taken keycloak 4.3 installation. I imported the new realm and ran the app. However, still facing the same issue.* I am able to login with special user. But I am also able to login with jdoe (premium user) and alice(normal user) when actually only special user should be allowed and other 2 denied.* Also, in all 3 cases , I get only 1 item in permission list i.e. Protected resource ( resource having with URI : */**): [Permission {id=ce71e506-d2f5-4c8b-8c2b-00f282bfb7d5, name=Protected Resource, scopes=[urn:servlet-authz:protected:resource:access]}] *ALSO, I had to make a couple of changes for realm to work:* *1.* Just like I mentioned in my previous email, I changed port number in the client URLs to 7200 as my app is running on jetty on a different port outside keycloak. *(Could this be the reason that app is running on a different port and keycloak/wildfly is running on a different port? )* *2.* Second change I did was make Valid redirect URI as * in Client settings.I was getting 400 on specifying: http://localhost:7200/myapp/* *(could this be an issue?) * NOTE: 403 would start coming if I delete resource named Protected Resource. On Tue, Aug 28, 2018 at 7:20 PM Pedro Igor Silva <psilva(a)redhat.com&gt; wrote: > Hi, > > Could you please check changes I did in this branch https://github.com/ > pedroigor/keycloak-quickstarts/tree/tmp ? > > Basically, I have modified the realm settings to : > > * Include a new user granted with a "special" realm role > * Included a new "Special Resource" mapping to "/secure/role/*" > * Include permission for "Special Resource" granting access only for > users with "special" role > > It seems to be working fine, but maybe I'm still missing something. Would > be nice if you could look at my changes, import the realm settings and > check how it is working. > > In addition to that, could you please try running Keycloak 4.3.0.Final ? > > Regards. > Pedro Igor > > > On Tue, Aug 28, 2018 at 2:37 AM, keycloak demo <testoauth55(a)gmail.com&gt; > wrote: > >> Thanks Pedro for the update. >> >> Just to add details to my previous mail: From the sample app / >> quickstart app-authz-jee-servlet >> <https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-je...;: >> I use *jdoe *user to login which has premium permissions, but when I >> debug, I get only Protected resource in the permission list: >> >> *Permission {id=1ace954c-3de5-4f33-83f7-2822ce2b35fe, name=Protected >> Resource, scopes=[urn:servlet-authz:protected:resource:access]} * >> >> Only change I have done in realm imported from sample is replace root & >> base url in client: http://localhost:8080/authz-servlet with >> http://localhost:7200/myapp >> and the premium resource URI : /protected/premium/* with /secure/role/* >> >> (The URL I am accessing with above config and user jdoe on my client app >> is : http://localhost:7200/myapp/secure/role) >> >> Could this be an issue that in my case my client app is running on a >> different port (as it is outside the wildfly server that is running >> keycloak)? >> >> On Mon, Aug 27, 2018 at 7:30 PM Pedro Igor Silva <psilva(a)redhat.com&gt; >> wrote: >> >>> Hi, >>> >>> Thanks for continuing looking at this. Let's do this, I'll do the same >>> steps using Jetty to reproduce the issue, will let you know during this >>> week once I have something to share. >>> >>> Another weird thing is that the example actually should return all >>> permissions and make them available after the login. Will check how this is >>> working with Jetty too. The tests we have in the quickstarts are >>> wildfly based .... >>> >>> On Mon, Aug 27, 2018 at 8:22 AM, keycloak demo <testoauth55(a)gmail.com&gt; >>> wrote: >>> >>>> I have tried 1 more thing: I have imported realm from one of the >>>> keycloak quickstarts https://github.com/keycloak/keycloak- >>>> quickstarts/tree/latest/app-authz-jee-servlet and only replaced the >>>> URLs with my application URLs. >>>> >>>> But I get the same error *if* I remove the resource containing URI as >>>> */** (resource name is : *Protected Resource*). Furthermore, if i >>>> keep this resource (/*), I am able to authorize a user but putting a >>>> debugger in client app showed that authContext Permission list contains >>>> only 1 resource i.e. Protected Resource. Although the user which >>>> authenticated was assigned the role contained in resource name: Premium >>>> Resource. So ideally the Permission list must have contained this resource >>>> as well. (I am mentioning the names - Protected, Premium as mentioned in >>>> the keycloak quick start). I put in /* URI in my original app and 403 >>>> stopped. But the permission array contained only this resource (with URI /*) >>>> >>>> java.util.List<Permission> perms = authzContext.getPermissions(); >>>> >>>> ********To summarize the above test:********* >>>> *I get 403 error if a resource containing URI /* is not present. If a >>>> URI containing /* is present, then I get only this resource in the >>>> Permissions Array / List in the java client app even if the resource with >>>> specific URI like /app/secure contains valid role/policy/permission. Also >>>> the evaluate API available under Authorization option shows result as >>>> permit.* >>>> >>>> *Screenshots present >>>> here: https://stackoverflow.com/questions/51761779/keycloak-403-forbidden-error... >>>> <https://stackoverflow.com/questions/51761779/keycloak-403-forbidden-error... >>>> >>>> >>>> On Mon, Aug 20, 2018 at 12:07 PM keycloak demo <testoauth55(a)gmail.com&gt; >>>> wrote: >>>> >>>>> Pedro, >>>>> >>>>> Yes default permissions grant access to any resource in my >>>>> application (uri == /*). But problem starts when I specify a resource with >>>>> specific URI (as described in configuration in my previous email and also >>>>> here: *https://stackoverflow.com/questions/51761779/keycloak-403-forbidden-error-while-accessing-rest-resource-where-as-evaluate-api >>>>> <https://stackoverflow.com/questions/51761779/keycloak-403-forbidden-error... >>>>> ). >>>>> >>>>> Just to summarize the real problem: >>>>> >>>>> Apart from default resource having `/*`, I have a second resource >>>>> having URI: /secure/role/* and this resource also has a role >>>>> based policy to allow access to only users having role "special", the >>>>> expected behavior is the users who don't have role "special" should not be >>>>> able to access this resource, right? >>>>> >>>>> But I am able to access this resource with any user, any role. So I >>>>> thought that may be default resource URI with '/*' is overriding behavior >>>>> of second resource, so I changed default resource URI to '/test/*', and >>>>> then I started receiving 403 error for accessing both '/test' as well as >>>>> second resource ' /secure/role/* ' for all users including user >>>>> with "special" role assigned. >>>>> >>>>> I looked into realm resource configuration in one of the quick starts >>>>> and the only difference I found was that quick start resources specify >>>>> scope in each of resources whereas I have kept it blank. Could this be an >>>>> issue. >>>>> >>>>> I understand you already spent time in trying to resolve this but >>>>> problem still persists. >>>>> >>>>> On Fri, Aug 17, 2018 at 5:11 PM, Pedro Igor Silva <psilva(a)redhat.com&gt; >>>>> wrote: >>>>> >>>>>> >>>>>> >>>>>> On Fri, Aug 17, 2018 at 4:40 AM, keycloak demo < >>>>>> testoauth55(a)gmail.com&gt; wrote: >>>>>> >>>>>>> Pedro, >>>>>>> >>>>>>> After further debugging I found out that following line in keycloak >>>>>>> json is causing the issue: "policy-enforcer": {}. If I remove >>>>>>> this line, then 403 error is removed but I guess doing this disables >>>>>>> authorization altogether. 2 questions on this: >>>>>>> 1. When I have configured policies on the Admin console under the >>>>>>> authorization tab, why is this empty? >>>>>>> >>>>>> >>>>>> I'm not sure. When you enable authorization services to a client >>>>>> default resource/permissions are created. Where these permissions grant >>>>>> access to any resource in your application (uri == /*). >>>>>> >>>>>> >>>>>>> 2. Is there a way to put some default values (not manually) in here >>>>>>> to make authorization work? >>>>>>> >>>>>> >>>>>> Like I said, when you just enable the authorization services switch, >>>>>> default settings are created automatically. >>>>>> >>>>>> Did you try to run any of our quickstarts ? >>>>>> >>>>>> >>>>>> >>>>>>> >>>>>>> On Fri, Aug 10, 2018 at 5:17 PM, Pedro Igor Silva < >>>>>>> psilva(a)redhat.com&gt; wrote: >>>>>>> >>>>>>>> Yeah, it should be relative. I was wondering if the correct URI >>>>>>>> would be '/keycloak/secure/role' instead. >>>>>>>> >>>>>>>> In any case, I would ask you to try the same deployment using >>>>>>>> tomcat or wildfly to see how it goes. We have a few quickstarts running on >>>>>>>> these two. Maybe you could also try to enable DEBUG log level to see how >>>>>>>> the policy enforcer is matching URIs to your resources. >>>>>>>> >>>>>>>> If none of them work, I can give a try and run jetty. >>>>>>>> >>>>>>>> Regards. >>>>>>>> Pedro Igor >>>>>>>> >>>>>>>> On Fri, Aug 10, 2018 at 12:31 AM, keycloak demo < >>>>>>>> testoauth55(a)gmail.com&gt; wrote: >>>>>>>> >>>>>>>>> Pedro, thanks for replying. I tried putting the absolute URI,but >>>>>>>>> it does not work either. The documentation anyway states that the URI in >>>>>>>>> resource can be relative to client root URL which I have configured to be >>>>>>>>> http://localhost:7200/{app}/keycloak , therefore >>>>>>>>> putting relateve URI '/secure/role' in resource should be >>>>>>>>> equivalent to putting absolute URI : >>>>>>>>> http://localhost:7200/{app}/keycloak/secure/role';. Do you think, >>>>>>>>> there is something else I can try? >>>>>>>>> >>>>>>>>> On Thu, Aug 9, 2018 at 6:01 PM, Pedro Igor Silva < >>>>>>>>> psilva(a)redhat.com&gt; wrote: >>>>>>>>> >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> Your configuration looks correct. But I noticed that in the >>>>>>>>>> postman request you are sending requests to ` >>>>>>>>>> http://localhost:7200/{app}/keycloak/secure/role` >>>>>>>>>> <http://localhost:7200/%7Bapp%7D/keycloak/secure/role>;. However >>>>>>>>>> in your resource definition the URI is configured to `/secure/role`. Both >>>>>>>>>> URIs should match otherwise the adapter won't be able to map the URI in >>>>>>>>>> your application to a resource in Keycloak (and related permissions). >>>>>>>>>> >>>>>>>>>> Regards. >>>>>>>>>> Pedro Igor >>>>>>>>>> >>>>>>>>>> On Thu, Aug 9, 2018 at 5:56 AM, keycloak demo < >>>>>>>>>> testoauth55(a)gmail.com&gt; wrote: >>>>>>>>>> >>>>>>>>>>> With all the configuration(shared below), when I test using the >>>>>>>>>>> evaluate >>>>>>>>>>> option under authorization tab, result is permit: >>>>>>>>>>> >>>>>>>>>>> *But when I make a request to this resource through postman, I >>>>>>>>>>> get 403.* >>>>>>>>>>> >>>>>>>>>>> *Which part of configuration is wrong which is leading to 403 >>>>>>>>>>> error?* >>>>>>>>>>> >>>>>>>>>>> CONFIGURATION: >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> *Detailed configuration with images shown here:* >>>>>>>>>>> >>>>>>>>>>> *https://stackoverflow.com/questions/51761779/keycloak- >>>>>>>>>>> 403-forbidden-error-while-accessing-rest-resource-where- >>>>>>>>>>> as-evaluate-api >>>>>>>>>>> <https://stackoverflow.com/questions/51761779/keycloak- >>>>>>>>>>> 403-forbidden-error-while-accessing-rest-resource-where- >>>>>>>>>>> as-evaluate-api>* >>>>>>>>>>> >>>>>>>>>>> *1.* Following the <goog_1387888133> >>>>>>>>>>> https://www.keycloak.org/docs/4.2/authorization_services/ , I >>>>>>>>>>> created a >>>>>>>>>>> realm role : *role_special_user* and created a user : >>>>>>>>>>> *user_special* with >>>>>>>>>>> this role and role *user*. >>>>>>>>>>> >>>>>>>>>>> *2.* Next, my resource server / client is with *full scope >>>>>>>>>>> enabled*: >>>>>>>>>>> *3.* Under authorization tab, I created a resource with the >>>>>>>>>>> role based >>>>>>>>>>> policy is. >>>>>>>>>>> >>>>>>>>>>> *4.* Now, keycloak json is: >>>>>>>>>>> >>>>>>>>>>> { >>>>>>>>>>> "realm": "demo12", >>>>>>>>>>> "auth-server-url": "http://localhost:8180/auth", >>>>>>>>>>> "ssl-required": "none", >>>>>>>>>>> "resource": "server12", >>>>>>>>>>> "credentials": { >>>>>>>>>>> "secret": "XXXXXXX" >>>>>>>>>>> }, >>>>>>>>>>> "confidential-port": 0, >>>>>>>>>>> "policy-enforcer": {}} >>>>>>>>>>> >>>>>>>>>>> *5.* And Keycloak Jetty adapter configuration is: >>>>>>>>>>> >>>>>>>>>>> final String KEYCLOAK_JSON = Constants.KC_CONFIG_JSON_PATH; >>>>>>>>>>> InputStream is = >>>>>>>>>>> Thread.currentThread().getContextClassLoader(). >>>>>>>>>>> getResourceAsStream(KEYCLOAK_JSON);AdapterConfig >>>>>>>>>>> keyCloakConfig;ObjectMapper mapper = new ObjectMapper(new >>>>>>>>>>> SystemPropertiesJsonParserFactory()); >>>>>>>>>>> mapper.setSerializationInclusion(JsonInclude.Include.NON_ >>>>>>>>>>> DEFAULT); >>>>>>>>>>> keyCloakConfig = mapper.readValue(is, AdapterConfig.class); >>>>>>>>>>> KeycloakJettyAuthenticator kcAuthenticator = >>>>>>>>>>> KeyCloakConfig;if(kcAuthenticator != null) { >>>>>>>>>>> ConstraintSecurityHandler securityHandler = new >>>>>>>>>>> ConstraintSecurityHandler(); >>>>>>>>>>> ConstraintMapping constraintMapping = new >>>>>>>>>>> ConstraintMapping(); >>>>>>>>>>> constraintMapping.setPathSpec("/*"); >>>>>>>>>>> Constraint constraint = new Constraint(); >>>>>>>>>>> constraint.setAuthenticate(true); >>>>>>>>>>> constraint.setRoles(new String[]{"**"}); >>>>>>>>>>> constraintMapping.setConstraint(constraint); >>>>>>>>>>> securityHandler.addConstraintMapping(constraintMapping); >>>>>>>>>>> securityHandler.setAuthenticator(kcAuthenticator); >>>>>>>>>>> context.setSecurityHandler(securityHandler);} >>>>>>>>>>> >>>>>>>>>>> *6.* Also, the decoded jwt token sample is: >>>>>>>>>>> >>>>>>>>>>> { >>>>>>>>>>> "jti": "XXXXXXX", >>>>>>>>>>> "exp": 1533798704, >>>>>>>>>>> "nbf": 0, >>>>>>>>>>> "iat": 1533798404, >>>>>>>>>>> "iss": "http://localhost:8180/auth/realms/demo12", >>>>>>>>>>> "aud": "server12", >>>>>>>>>>> "sub": "XXXXXXX", >>>>>>>>>>> "typ": "Bearer", >>>>>>>>>>> "azp": "server12", >>>>>>>>>>> "auth_time": 1533798404, >>>>>>>>>>> "session_state": "XXXXXX", >>>>>>>>>>> "acr": "1", >>>>>>>>>>> "allowed-origins": [], >>>>>>>>>>> "realm_access": { >>>>>>>>>>> "roles": [ >>>>>>>>>>> "role_special_user", >>>>>>>>>>> "offline_access", >>>>>>>>>>> "uma_authorization", >>>>>>>>>>> "user" >>>>>>>>>>> ] >>>>>>>>>>> }, >>>>>>>>>>> "resource_access": { >>>>>>>>>>> "server12": { >>>>>>>>>>> "roles": [ >>>>>>>>>>> "uma_protection" >>>>>>>>>>> ] >>>>>>>>>>> }, >>>>>>>>>>> "account": { >>>>>>>>>>> "roles": [ >>>>>>>>>>> "manage-account", >>>>>>>>>>> "manage-account-links", >>>>>>>>>>> "view-profile" >>>>>>>>>>> ] >>>>>>>>>>> } >>>>>>>>>>> }, >>>>>>>>>>> "scope": "openid email profile", >>>>>>>>>>> "email_verified": false, >>>>>>>>>>> "preferred_username": "user_special"} >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> keycloak-user mailing list >>>>>>>>>>> keycloak-user(a)lists.jboss.org >>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>> >