Re: [keycloak-user] Bearer Only Application access with token

Make sure you have the following settings configured for your database service: In the web.xml, make sure you have the security setup with the appropriate user role: <?xml version="1.0" encoding="UTF-8"?> <web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0"> <module-name>database</module-name> <security-constraint> <web-resource-collection> <url-pattern>/*</url-pattern> </web-resource-collection> <!-- <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> --> <auth-constraint> <role-name>user</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>KEYCLOAK</auth-method> <realm-name>demo</realm-name> </login-config> <security-role> <role-name>user</role-name> </security-role> </web-app> From: Rodrigo Sasaki <rodrigopsasaki(a)gmail.com&gt; Date: Tuesday, July 29, 2014 at 12:51 PM To: Bill Burke <bburke(a)redhat.com&gt; Cc: &quot;keycloak-user(a)lists.jboss.org&quot; <keycloak-user(a)lists.jboss.org&gt; Subject: Re: [keycloak-user] Bearer Only Application access with token It is defined under the application itself, so I it's under the scope. This should be working right? On Tue, Jul 29, 2014 at 11:59 AM, Bill Burke <bburke(a)redhat.com&gt; wrote: > What kind of role is it? Is the new role defined under the > "database-service" application? If not, then you must add this role to > the "database-service"'s scope in the admin console. > > On 7/29/2014 10:51 AM, Rodrigo Sasaki wrote: > > Hi, > > > > I'm trying to secure a bearer-only application with keycloak, to access > > it with access tokens, but I think I'm missing something. > > > > I tried it with the database-service of the unconfigured demo. > > > > 1. I created the user role in the application. > > 2. I assigned that role to my user > > 3. I copied the contents of the installation json to > > *webapp/META-INF/keycloak.json* > > > > { > > "realm": "demo", > > "realm-public-key": > > > "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCwRayjzh7W+EfPaeSdyXWLyXof7c3fwD7vb0AEtG+ogLHtMkYiTdX9y/JXOmXwWDzGhx7NM3Q6vkCG0F3lZqOVsSlYH56c5+Ev4QmSGK/+6e+WcZMcgmscoz1OoXKom4+pzqMey42hqdwwMhkvCq/jxJSmUGnZJQuqEKVH00NZ1wIDAQAB", > > "bearer-only": true, > > "ssl-not-required": true, > > "resource": "database-service", > > "use-resource-role-mappings": true > > } > > > > 4. Set the auth-method to *KEYCLOAK* on web.xml > > 5. Started the server deploying the *database-service* > > 6. Generated a token using *security-admin-console* client_id and my > user > > 7. Submitted a GET request to /localhost:8080/database/customers/ > > > > After these steps I get a 403 error, saying that I'm not authorized to > > access the resource, wasn't this supposed to work? > > > > -- > > Rodrigo Sasaki > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user(a)lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Rodrigo Sasaki