I made sure of all that, I just recreated everything using realm roles just for the sake of completeness, but I'm still getting a 403


On Tue, Jul 29, 2014 at 4:09 PM, Vivek Srivastav (vivsriva) <vivsriva@cisco.com> wrote:
Make sure you have the following settings configured for your database service:





In the web.xml, make sure you have the security setup with the appropriate user role:
<?xml version="1.0" encoding="UTF-8"?>
      version="3.0">

<module-name>database</module-name>
    <security-constraint>
        <web-resource-collection>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
<!--        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>  -->
        <auth-constraint>
            <role-name>user</role-name>
        </auth-constraint>
    </security-constraint>

    <login-config>
        <auth-method>KEYCLOAK</auth-method>
        <realm-name>demo</realm-name>
    </login-config>

    <security-role>
        <role-name>user</role-name>
    </security-role>
</web-app>



From: Rodrigo Sasaki <rodrigopsasaki@gmail.com>
Date: Tuesday, July 29, 2014 at 12:51 PM
To: Bill Burke <bburke@redhat.com>
Cc: "keycloak-user@lists.jboss.org" <keycloak-user@lists.jboss.org>
Subject: Re: [keycloak-user] Bearer Only Application access with token

It is defined under the application itself, so I it's under the scope. This should be working right?


On Tue, Jul 29, 2014 at 11:59 AM, Bill Burke <bburke@redhat.com> wrote:
What kind of role is it?  Is the new role defined under the
"database-service" application?  If not, then you must add this role to
the "database-service"'s scope in the admin console.

On 7/29/2014 10:51 AM, Rodrigo Sasaki wrote:
> Hi,
>
> I'm trying to secure a bearer-only application with keycloak, to access
> it with access tokens, but I think I'm missing something.
>
> I tried it with the database-service of the unconfigured demo.
>
> 1. I created the user role in the application.
> 2. I assigned that role to my user
> 3. I copied the contents of the installation json to
> *webapp/META-INF/keycloak.json*
>
> {
>      "realm": "demo",
>      "realm-public-key":
> "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCwRayjzh7W+EfPaeSdyXWLyXof7c3fwD7vb0AEtG+ogLHtMkYiTdX9y/JXOmXwWDzGhx7NM3Q6vkCG0F3lZqOVsSlYH56c5+Ev4QmSGK/+6e+WcZMcgmscoz1OoXKom4+pzqMey42hqdwwMhkvCq/jxJSmUGnZJQuqEKVH00NZ1wIDAQAB",
>      "bearer-only": true,
>      "ssl-not-required": true,
>      "resource": "database-service",
>      "use-resource-role-mappings": true
> }
>
> 4. Set the auth-method to *KEYCLOAK* on web.xml
> 5. Started the server deploying the *database-service*
> 6. Generated a token using *security-admin-console* client_id and my user
> 7. Submitted a GET request to /localhost:8080/database/customers/
>
> After these steps I get a 403 error, saying that I'm not authorized to
> access the resource, wasn't this supposed to work?
>
> --
> Rodrigo Sasaki
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user@lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user



--
Rodrigo Sasaki



--
Rodrigo Sasaki