8:08 a.m.
Hello Luca,
In your webapp's Keycloak Client, try putting it as baerer only.
Also, in the the HTTP request that you make, be sure you are setting the
token in the header of the HTTP request, with the following parameter:
{"Authorization" : "bearer " + $TOKEN}
Thanks,
JOÃO PAULO RAMOS
Red Hat Brasil
<https://red.ht/sig>
On Thu, Dec 6, 2018 at 11:13 AM Luca Stancapiano <luca.stancapiano(a)vige.it>
wrote:
I'm trying to call via REST through POSTMAN the list of users
through the
get path: http://localhost:8180/auth/admin/realms/school-domain/users
Here my keycloak configuration where I create 2 users, 4 roles, a 'school'
client and a 'school-domain' realm:
{
"realm": "school-domain",
"enabled": true,
"accessTokenLifespan": 60,
"accessCodeLifespan": 60,
"accessCodeLifespanUserAction": 300,
"ssoSessionIdleTimeout": 600,
"ssoSessionMaxLifespan": 36000,
"sslRequired": "external",
"registrationAllowed": true,
"resetPasswordAllowed": true,
"editUsernameAllowed": true,
"loginWithEmailAllowed": false,
"duplicateEmailsAllowed": true,
"privateKey":
"MIICXAIBAAKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQABAoGAfmO8gVhyBxdqlxmIuglbz8bcjQbhXJLR2EoS8ngTXmN1bo2L90M0mUKSdc7qF10LgETBzqL8jYlQIbt+e6TH8fcEpKCjUlyq0Mf/vVbfZSNaVycY13nTzo27iPyWQHK5NLuJzn1xvxxrUeXI6A2WFpGEBLbHjwpx5WQG9A+2scECQQDvdn9NE75HPTVPxBqsEd2z10TKkl9CZxu10Qby3iQQmWLEJ9LNmy3acvKrE3gMiYNWb6xHPKiIqOR1as7L24aTAkEAtyvQOlCvr5kAjVqrEKXalj0Tzewjweuxc0pskvArTI2Oo070h65GpoIKLc9jf+UA69cRtquwP93aZKtW06U8dQJAF2Y44ks/mK5+eyDqik3koCI08qaC8HYq2wVl7G2QkJ6sbAaILtcvD92ToOvyGyeE0flvmDZxMYlvaZnaQ0lcSQJBAKZU6umJi3/xeEbkJqMfeLclD27XGEFoPeNrmdx0q10Azp4NfJAY+Z8KRyQCR2BEG+oNitBOZ+YXF9KCpH3cdmECQHEigJhYg+ykOvr1aiZUMFT72HU0jnmQe2FVekuG+LJUt2Tm7GtMjTFoGpf0JwrVuZN39fOYAlo+nTixgeW7X8Y=",
"publicKey":
"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB",
"requiredCredentials": [
"password"
],
"users": [
{
"username": "root",
"enabled": true,
"email": "lsflashboss62(a)gmail.com",
"credentials": [
{
"type": "password",
"value": "gtn"
}
],
"realmRoles": [
"admin"
],
"clientRoles": {
"account": [
"manage-account"
]
}
},
{
"username": "HUHUJJJKJJKN",
"enabled": true,
"email": "luca.stancapiano(a)vige.it",
"firstName": "Luca",
"lastName": "Stancapiano",
"credentials": [
{
"type": "password",
"value": "gtn"
}
],
"realmRoles": [
"pupil"
],
"clientRoles": {
"account": [
"manage-account"
]
}
}
],
"clients": [
{
"clientId": "school",
"rootUrl": "http://localhost:8080/school",
"enabled": true,
"redirectUris": [
"http://localhost:8080/school/*"
],
"webOrigins": [
"http://localhost:8080"
],
"publicClient": false,
"secret":
"bce5816d-98c4-404f-a18d-bcc5cb005c79",
"serviceAccountsEnabled": true,
"authorizationServicesEnabled": true,
"authorizationSettings": {
"allowRemoteResourceManagement": true,
"policyEnforcementMode":
"ENFORCING",
"resources": [
{
"name": "Default
Resource",
"type":
"urn:school:resources:default",
"ownerManagedAccess":
false,
"attributes": {
},
"_id":
"c338b2be-da73-471c-9bb0-77ad52e1f88f",
"uris": [
"/*"
]
}
],
"policies": [
{
"id":
"edb01393-180e-4d95-afd3-92b3ac5a6d41",
"name": "Default
Policy",
"description": "A policy
that grants access only for users within this realm",
"type": "js",
"logic": "POSITIVE",
"decisionStrategy":
"AFFIRMATIVE",
"config": {
"code": "// by
default, grants any permission associated with this
policy\n$evaluation.grant();\n"
}
},
{
"id":
"1f5dce97-54e3-4dcf-92bd-a2a59120286f",
"name": "Default
Permission",
"description": "A
permission that applies to the default resource type",
"type": "resource",
"logic": "POSITIVE",
"decisionStrategy":
"UNANIMOUS",
"config": {
"defaultResourceType": "urn:school:resources:default",
"applyPolicies":
"[\"Default Policy\"]"
}
}
],
"scopes": []
}
}
],
"roles": {
"realm": [
{
"name": "admin",
"description": "Administrator
privileges"
},
{
"name": "schooloperator",
"description": "School Operator
privileges"
},
{
"name": "teacher",
"description": "Teacher privileges"
},
{
"name": "pupil",
"description": "Pupil privileges"
}
]
}
}
Keycloak starts on the 8180 port. I configured POSTMAN with OAuth 2.0.
Here the Oauth configuration used to receive the token:
Token Name: Token Name
Grant Type: Authorization Code
Callback URL: http://localhost:8080/school
Auth URL:
http://localhost:8180/auth/realms/school-domain/protocol/openid-connect/auth
Access Token URL:
http://localhost:8180/auth/realms/school-domain/protocol/openid-connect/t...
Client ID: school
Client Secret: bce5816d-98c4-404f-a18d-bcc5cb005c79
Client Authentication: Send as Basic Auth header
The Callback URL is an active simple web app starting on the 8080 port.
The token creation is ok but when I call the server with the created token
I get a 401 Unauthorized error. What I miss?
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user