[keycloak-user] Using postman to test keycloak protected app
Hi,
I'm having problems setting up a postman collection to test my REST APIs.
I have first created the REST API without protecting it and test it with
Postman without a problem.
I then added protection with Keycloak and ran into issues with Postman (403
error). I wasn't sure if the problem was in my authorization
configuration or in my Postman collection. So, to make sure it wasn't an
authorization configuration problem, I decided to create a Postman
collection and use the photoz example as a model. In my Postman script, I
want to access photoz-restful-api but I'm still getting 403 error. The
photoz example does work when I use my web browser.
Here's what I did:
I added a postman client in keycloak under the photoz realm:
Client Id: postman
Protocol: openid-connect
Access Type: public
Direct Access enabled: ON
In Postman, I created 2 requests, one to get a token and the other one to
retrieve the list of album for the jdoe user
Here are the 2 requests:
POST http://localhost:8080/auth/realms/photoz/protocol/openid-connect/token
Content-Type:"application/x-www-form-urlencoded"
with the following body:
client_id:postman
grant_type:password
username:jdoe
password:jdoe
I'm receiving a this response: (token truncated for readability)
{
"access_token": "eyJhbGciOiJS...",
"expires_in": 300,
"refresh_expires_in": 1800,
"refresh_token": "eyJhbGciOiJS...,
"token_type": "bearer",
"id_token": "eyJhbGciOiJSUzI1N...",
"not-before-policy": 0,
"session_state": "cf71f9c6-78cc-4a41-8026-aca4eb86c9cd"
}
In the Tests tab of the request (still in postman), I extracted the access
token out of the response like this:
var tokens=JSON.parse(responseBody);
postman.setGlobalVariable("kcAccessToken", tokens.access_token);
===============
Here's how I created the GET album request
GET http://localhost:8080/photoz-restful-api/album/
Headers:
key=Authorization
value=Bearer {{kcAccessToken}}
I'm getting a 403 Forbidden error.
I obviously do something wrong. Can anybody please tell me what I do wrong?
Thanks,
Stephane