9:03 a.m.
But changing the postman configuration from Oauth 2.0 to Bearer token I see the error is
changed. Now I have a 403 Forbidden
Il 6 dicembre 2018 alle 15.08 Joao Paulo Ramos
<jramos(a)redhat.com> ha scritto:
Hello Luca,
In your webapp's Keycloak Client, try putting it as baerer only.
Also, in the the HTTP request that you make, be sure you are setting the
token in the header of the HTTP request, with the following parameter:
{"Authorization" : "bearer " + $TOKEN}
Thanks,
JOÃO PAULO RAMOS
Red Hat Brasil
<https://red.ht/sig>
On Thu, Dec 6, 2018 at 11:13 AM Luca Stancapiano <luca.stancapiano(a)vige.it>
wrote:
> I'm trying to call via REST through POSTMAN the list of users through the
> get path: http://localhost:8180/auth/admin/realms/school-domain/users
>
> Here my keycloak configuration where I create 2 users, 4 roles, a 'school'
> client and a 'school-domain' realm:
>
> {
> "realm": "school-domain",
> "enabled": true,
> "accessTokenLifespan": 60,
> "accessCodeLifespan": 60,
> "accessCodeLifespanUserAction": 300,
> "ssoSessionIdleTimeout": 600,
> "ssoSessionMaxLifespan": 36000,
> "sslRequired": "external",
> "registrationAllowed": true,
> "resetPasswordAllowed": true,
> "editUsernameAllowed": true,
> "loginWithEmailAllowed": false,
> "duplicateEmailsAllowed": true,
> "privateKey":
>
"MIICXAIBAAKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQABAoGAfmO8gVhyBxdqlxmIuglbz8bcjQbhXJLR2EoS8ngTXmN1bo2L90M0mUKSdc7qF10LgETBzqL8jYlQIbt+e6TH8fcEpKCjUlyq0Mf/vVbfZSNaVycY13nTzo27iPyWQHK5NLuJzn1xvxxrUeXI6A2WFpGEBLbHjwpx5WQG9A+2scECQQDvdn9NE75HPTVPxBqsEd2z10TKkl9CZxu10Qby3iQQmWLEJ9LNmy3acvKrE3gMiYNWb6xHPKiIqOR1as7L24aTAkEAtyvQOlCvr5kAjVqrEKXalj0Tzewjweuxc0pskvArTI2Oo070h65GpoIKLc9jf+UA69cRtquwP93aZKtW06U8dQJAF2Y44ks/mK5+eyDqik3koCI08qaC8HYq2wVl7G2QkJ6sbAaILtcvD92ToOvyGyeE0flvmDZxMYlvaZnaQ0lcSQJBAKZU6umJi3/xeEbkJqMfeLclD27XGEFoPeNrmdx0q10Azp4NfJAY+Z8KRyQCR2BEG+oNitBOZ+YXF9KCpH3cdmECQHEigJhYg+ykOvr1aiZUMFT72HU0jnmQe2FVekuG+LJUt2Tm7GtMjTFoGpf0JwrVuZN39fOYAlo+nTixgeW7X8Y=",
> "publicKey":
>
"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB",
> "requiredCredentials": [
> "password"
> ],
> "users": [
> {
> "username": "root",
> "enabled": true,
> "email": "lsflashboss62(a)gmail.com",
> "credentials": [
> {
> "type": "password",
> "value": "gtn"
> }
> ],
> "realmRoles": [
> "admin"
> ],
> "clientRoles": {
> "account": [
> "manage-account"
> ]
> }
> },
> {
> "username": "HUHUJJJKJJKN",
> "enabled": true,
> "email": "luca.stancapiano(a)vige.it",
> "firstName": "Luca",
> "lastName": "Stancapiano",
> "credentials": [
> {
> "type": "password",
> "value": "gtn"
> }
> ],
> "realmRoles": [
> "pupil"
> ],
> "clientRoles": {
> "account": [
> "manage-account"
> ]
> }
> }
> ],
> "clients": [
> {
> "clientId": "school",
> "rootUrl":
"http://localhost:8080/school",
> "enabled": true,
> "redirectUris": [
> "http://localhost:8080/school/*"
> ],
> "webOrigins": [
> "http://localhost:8080"
> ],
> "publicClient": false,
> "secret":
"bce5816d-98c4-404f-a18d-bcc5cb005c79",
> "serviceAccountsEnabled": true,
> "authorizationServicesEnabled": true,
> "authorizationSettings": {
> "allowRemoteResourceManagement": true,
> "policyEnforcementMode":
"ENFORCING",
> "resources": [
> {
> "name": "Default
Resource",
> "type":
> "urn:school:resources:default",
> "ownerManagedAccess":
> false,
> "attributes": {
>
> },
> "_id":
> "c338b2be-da73-471c-9bb0-77ad52e1f88f",
> "uris": [
> "/*"
> ]
> }
> ],
> "policies": [
> {
> "id":
> "edb01393-180e-4d95-afd3-92b3ac5a6d41",
> "name": "Default
Policy",
> "description": "A
policy
> that grants access only for users within this realm",
> "type": "js",
> "logic":
"POSITIVE",
> "decisionStrategy":
> "AFFIRMATIVE",
> "config": {
> "code": "//
by
> default, grants any permission associated with this
> policy\n$evaluation.grant();\n"
> }
> },
> {
> "id":
> "1f5dce97-54e3-4dcf-92bd-a2a59120286f",
> "name": "Default
> Permission",
> "description": "A
> permission that applies to the default resource type",
> "type":
"resource",
> "logic":
"POSITIVE",
> "decisionStrategy":
> "UNANIMOUS",
> "config": {
>
> "defaultResourceType": "urn:school:resources:default",
> "applyPolicies":
> "[\"Default Policy\"]"
> }
> }
> ],
> "scopes": []
> }
> }
> ],
> "roles": {
> "realm": [
> {
> "name": "admin",
> "description": "Administrator
privileges"
> },
> {
> "name": "schooloperator",
> "description": "School Operator
privileges"
> },
> {
> "name": "teacher",
> "description": "Teacher
privileges"
> },
> {
> "name": "pupil",
> "description": "Pupil
privileges"
> }
> ]
> }
> }
>
> Keycloak starts on the 8180 port. I configured POSTMAN with OAuth 2.0.
> Here the Oauth configuration used to receive the token:
>
> Token Name: Token Name
> Grant Type: Authorization Code
> Callback URL: http://localhost:8080/school
> Auth URL:
> http://localhost:8180/auth/realms/school-domain/protocol/openid-connect/auth
> Access Token URL:
> http://localhost:8180/auth/realms/school-domain/protocol/openid-connect/t...
> Client ID: school
> Client Secret: bce5816d-98c4-404f-a18d-bcc5cb005c79
> Client Authentication: Send as Basic Auth header
>
> The Callback URL is an active simple web app starting on the 8080 port.
> The token creation is ok but when I call the server with the created token
> I get a 401 Unauthorized error. What I miss?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>