Re: [keycloak-user] Access Forbidden
Ok, so further testing shows:
Assigning `manage-users` Role doesn't work, assigning `manage-realm` role
does allow them to login to the Security Console, applying `manage-users`
role lets them reset passwords. This isn't a good solution though, since
they get access to settings that they shouldn't be able to access.
Seems like the role got broken during the upgrade possibly. Is there a way
to reset or reinstall a role?
--
*Aaron Echols*
On Thu, Apr 4, 2019 at 4:02 PM Aaron Echols <aechols(a)bfcsaz.com> wrote:
Hello All,
I was running 4.1.0.Final and decided to upgrade this week to 4.8.3.Final.
I'm running into an issue where we set a group up with the `manage-users`
Role Mapping. In 4.1.0.Final, the members of said group were able to login
and reset passwords for users successfully in the realm they are in.
Now when they attempt to access the Security Admin Console under
Applications in their profile, they get the following message on the user
side:
Forbidden
You don't have access to the requested resource.
All I see in the Events log:
LOGIN
Client: security-admin-console
User: <identifier>
IP Address: <local-ip>
Details:
auth_method: openid-connect
auth_type: code
response_type: code
redirect_uri: /auth/admin/realm/console/
consent: no_consent_required
code_id: <code-id>
response_mode: fragment
username: <username>
CODE_TO_TOKEN
Client: security-admin-console
User: <identifier>
Details:
token_id: <token-id>
grant_type: authorization_code
refresh_token_type: refresh
scope: openid
refresh_token_id: <refresh-token-id>
code_id: <code-id>
client_auth_method: client-secret
I've verified that they have the proper roles assigned, why isn't this
working now and anyone have any help to be able to troubleshoot?
Thanks in advance for any help or recommendations. :)
--
*Aaron Echols*