Re: [keycloak-user] Keycloak adapter with policies returns bad request

Somehow I do not get any logs in keycloak server.log. I've attempted to change the loglevel in standalone.xml to TRACE, but to no avail. Maybe you can give me a pointer to which logger I should change to see the correct logs show up. Besides that I've done some debugging using Postman as well. Using the following request I get the message: { "error": "invalid_client", "error_description": "Bearer-only not allowed" } This is weird to me as the keycloak.json file states that I am connecting to a bearer-only client. Hope this helps to clarify it for you. My keycloak.json configuration file looks like this: { "realm": "development", "bearer-only": true, "auth-server-url": "http://127.0.0.1:8080/auth", "ssl-required": "external", "resource": "backend-client", "use-resource-role-mappings": true, "credentials": { "secret": "SECRETHERE" }, "policy-enforcer": {} } Hope this helps to clarify some of your questions. /Richard Op wo 7 dec. 2016 om 12:47 schreef Pedro Igor <psilva(a)redhat.com&gt;: Do you get anything in server logs ? It may be related with invalid client credentials. On 12/6/2016 12:41:38 PM, Richard van Duijn <rjvduijn(a)gmail.com&gt; wrote: I'm creating a POC application using playframework and angular. The frontend will be protected using the keycloak javascript adapter and the backend rest services will be a bearer-only application. Without the policies turned on in the keycloak.json everything goes well. But when I turn the policies by adding "policy-enforcer": { } on for the rest services, I get an 400 Bad Request response from the Keycloak server during initialization. After some debugging I noticed it had to do with the initialization of the PolicyEnforcer which attempts to call the following server keycloak endpoint: http://127.0.0.1:8080/auth/realms/local.development/protocol/openid-conne... Below you will find the stacktrace and request and response objects. Hope someone can point me in the right direction. For instance how to configure keycloak logging to get some more details on what the reason for the 400 bad request is. Many many thanks! /Richard *Stacktrace*: at org.keycloak.authorization.client.util.HttpMethod.execute(HttpMethod.java:92) at org.keycloak.authorization.client.util.HttpMethodResponse$2.execute(HttpMethodResponse.java:48) at org.keycloak.authorization.client.AuthzClient.obtainAccessToken(AuthzClient.java:112) at org.keycloak.authorization.client.AuthzClient.protection(AuthzClient.java:91) at org.keycloak.adapters.authorization.PolicyEnforcer.(PolicyEnforcer.java:57) at org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(KeycloakDeploymentBuilder.java:126) at org.keycloak.adapters.KeycloakDeploymentBuilder.build(KeycloakDeploymentBuilder.java:135) at security.KeycloakSecurityModule.configure(KeycloakSecurityModule.java:53) at com.google.inject.AbstractModule.configure(AbstractModule.java:62) ... many google guice calls ... at play.core.server.DevServerStart$$anonfun$mainDev$1$$anon$1$$anonfun$get$1.apply(DevServerStart.scala:129) at play.core.server.DevServerStart$$anonfun$mainDev$1$$anon$1$$anonfun$get$1.apply(DevServerStart.scala:121) *Request object*: builder = {RequestBuilder@12557} method = "POST" charset = {UTF_8@12563} "UTF-8" version = null uri = {URI@12564} " http://127.0.0.1:8080/auth/realms/local.development/protocol/openid-conne... " headergroup = {HeaderGroup@12565} "[Authorization: Basic YmFja2VuZC1jbGllbnQ6NmNlNzE4YWQtMmFiMS00MmZmLWJmMDEtMzVhMDNlYWIzYWVl]" entity = null parameters = {LinkedList@12566} size = 1 0 = {BasicNameValuePair@12576} "grant_type=client_credentials" config = null *Response object*: HTTP/1.1 400 Bad Request [Connection: keep-alive, X-Powered-By: Undertow/1, Server: WildFly/10, Content-Type: application/json, Content-Length: 72, Date: Tue, 06 Dec 2016 12:24:28 GMT] org.apache.http.conn.BasicManagedEntity@1f8d1780 response = {$Proxy16@12554} "HTTP/1.1 400 Bad Request [Connection: keep-alive, X-Powered-By: Undertow/1, Server: WildFly/10, Content-Type: application/json, Content-Length: 72, Date: Tue, 06 Dec 2016 12:24:28 GMT] org.apache.http.conn.BasicManagedEntity@1f8d1780" h = {CloseableHttpResponseProxy@12583} original = {BasicHttpResponse@12584} "HTTP/1.1 400 Bad Request [Connection: keep-alive, X-Powered-By: Undertow/1, Server: WildFly/10, Content-Type: application/json, Content-Length: 72, Date: Tue, 06 Dec 2016 12:24:28 GMT] org.apache.http.conn.BasicManagedEntity@1f8d1780" statusline = {BasicStatusLine@12556} "HTTP/1.1 400 Bad Request" ver = {HttpVersion@12586} "HTTP/1.1" code = 400 reasonPhrase = "Bad Request" entity = {BasicManagedEntity@12555} reasonCatalog = {EnglishReasonPhraseCatalog@12588} locale = {Locale@12589} "en_US" headergroup = {HeaderGroup@12590} "[Connection: keep-alive, X-Powered-By: Undertow/1, Server: WildFly/10, Content-Type: application/json, Content-Length: 72, Date: Tue, 06 Dec 2016 12:24:28 GMT]" params = {ClientParamsStack@12591} _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user