Re: [keycloak-user] keycloak 403 forbidden error while accessing rest resource where as evaluate api shows permit

Pedro, After further debugging I found out that following line in keycloak json is causing the issue: "policy-enforcer": {}. If I remove this line, then 403 error is removed but I guess doing this disables authorization altogether. 2 questions on this: 1. When I have configured policies on the Admin console under the authorization tab, why is this empty?

2. Is there a way to put some default values (not manually) in here to make authorization work?

On Fri, Aug 10, 2018 at 5:17 PM, Pedro Igor Silva <psilva(a)redhat.com&gt; wrote: > Yeah, it should be relative. I was wondering if the correct URI would be > '/keycloak/secure/role' instead. > > In any case, I would ask you to try the same deployment using tomcat or > wildfly to see how it goes. We have a few quickstarts running on these two. > Maybe you could also try to enable DEBUG log level to see how the policy > enforcer is matching URIs to your resources. > > If none of them work, I can give a try and run jetty. > > Regards. > Pedro Igor > > On Fri, Aug 10, 2018 at 12:31 AM, keycloak demo <testoauth55(a)gmail.com&gt; > wrote: > >> Pedro, thanks for replying. I tried putting the absolute URI,but it does >> not work either. The documentation anyway states that the URI in resource >> can be relative to client root URL which I have configured to be >> http://localhost:7200/{app}/keycloak , therefore putting relateve URI '/secure/role' >> in resource should be equivalent to putting absolute URI : >> http://localhost:7200/{app}/keycloak/secure/role';. Do you think, there >> is something else I can try? >> >> On Thu, Aug 9, 2018 at 6:01 PM, Pedro Igor Silva <psilva(a)redhat.com&gt; >> wrote: >> >>> Hi, >>> >>> Your configuration looks correct. But I noticed that in the postman >>> request you are sending requests to `http://localhost:7200/{app}/k >>> eycloak/secure/role` >>> <http://localhost:7200/%7Bapp%7D/keycloak/secure/role>;. However in >>> your resource definition the URI is configured to `/secure/role`. Both URIs >>> should match otherwise the adapter won't be able to map the URI in your >>> application to a resource in Keycloak (and related permissions). >>> >>> Regards. >>> Pedro Igor >>> >>> On Thu, Aug 9, 2018 at 5:56 AM, keycloak demo <testoauth55(a)gmail.com&gt; >>> wrote: >>> >>>> With all the configuration(shared below), when I test using the >>>> evaluate >>>> option under authorization tab, result is permit: >>>> >>>> *But when I make a request to this resource through postman, I get >>>> 403.* >>>> >>>> *Which part of configuration is wrong which is leading to 403 error?* >>>> >>>> CONFIGURATION: >>>> >>>> >>>> *Detailed configuration with images shown here:* >>>> >>>> *https://stackoverflow.com/questions/51761779/keycloak-403-f >>>> orbidden-error-while-accessing-rest-resource-where-as-evaluate-api >>>> <https://stackoverflow.com/questions/51761779/keycloak-403-f >>>> orbidden-error-while-accessing-rest-resource-where-as-evaluate-api>* >>>> >>>> *1.* Following the <goog_1387888133> >>>> https://www.keycloak.org/docs/4.2/authorization_services/ , I created >>>> a >>>> realm role : *role_special_user* and created a user : *user_special* >>>> with >>>> this role and role *user*. >>>> >>>> *2.* Next, my resource server / client is with *full scope enabled*: >>>> *3.* Under authorization tab, I created a resource with the role based >>>> policy is. >>>> >>>> *4.* Now, keycloak json is: >>>> >>>> { >>>> "realm": "demo12", >>>> "auth-server-url": "http://localhost:8180/auth", >>>> "ssl-required": "none", >>>> "resource": "server12", >>>> "credentials": { >>>> "secret": "XXXXXXX" >>>> }, >>>> "confidential-port": 0, >>>> "policy-enforcer": {}} >>>> >>>> *5.* And Keycloak Jetty adapter configuration is: >>>> >>>> final String KEYCLOAK_JSON = Constants.KC_CONFIG_JSON_PATH; >>>> InputStream is = >>>> Thread.currentThread().getContextClassLoader().getResourceAs >>>> Stream(KEYCLOAK_JSON);AdapterConfig >>>> keyCloakConfig;ObjectMapper mapper = new ObjectMapper(new >>>> SystemPropertiesJsonParserFactory()); >>>> mapper.setSerializationInclusion(JsonInclude.Include.NON_DEFAULT); >>>> keyCloakConfig = mapper.readValue(is, AdapterConfig.class); >>>> KeycloakJettyAuthenticator kcAuthenticator = >>>> KeyCloakConfig;if(kcAuthenticator != null) { >>>> ConstraintSecurityHandler securityHandler = new >>>> ConstraintSecurityHandler(); >>>> ConstraintMapping constraintMapping = new ConstraintMapping(); >>>> constraintMapping.setPathSpec("/*"); >>>> Constraint constraint = new Constraint(); >>>> constraint.setAuthenticate(true); >>>> constraint.setRoles(new String[]{"**"}); >>>> constraintMapping.setConstraint(constraint); >>>> securityHandler.addConstraintMapping(constraintMapping); >>>> securityHandler.setAuthenticator(kcAuthenticator); >>>> context.setSecurityHandler(securityHandler);} >>>> >>>> *6.* Also, the decoded jwt token sample is: >>>> >>>> { >>>> "jti": "XXXXXXX", >>>> "exp": 1533798704, >>>> "nbf": 0, >>>> "iat": 1533798404, >>>> "iss": "http://localhost:8180/auth/realms/demo12", >>>> "aud": "server12", >>>> "sub": "XXXXXXX", >>>> "typ": "Bearer", >>>> "azp": "server12", >>>> "auth_time": 1533798404, >>>> "session_state": "XXXXXX", >>>> "acr": "1", >>>> "allowed-origins": [], >>>> "realm_access": { >>>> "roles": [ >>>> "role_special_user", >>>> "offline_access", >>>> "uma_authorization", >>>> "user" >>>> ] >>>> }, >>>> "resource_access": { >>>> "server12": { >>>> "roles": [ >>>> "uma_protection" >>>> ] >>>> }, >>>> "account": { >>>> "roles": [ >>>> "manage-account", >>>> "manage-account-links", >>>> "view-profile" >>>> ] >>>> } >>>> }, >>>> "scope": "openid email profile", >>>> "email_verified": false, >>>> "preferred_username": "user_special"} >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user(a)lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >> >