The code is the same as the AdminClient you pointed me to. However, I just try something based on what you said. In the admin-client oauth client, I went to Scope Mappings and added user role (which is the security role for the rest services). Now it works. Does this sound right to you? Seems magical...

On Jul 15, 2014, at 3:48 PM, Bill Burke <bburke@redhat.com> wrote:

Please elaborate on your code to obtain a token.  Your client (not user) may not have the scope you need and the token may not be getting set with the desired role mappings.

On 7/15/2014 3:15 PM, Christina Lau wrote:
Hi Bill, further to last comment, i.e. although I can get the token,
when I use it to call the same Rest service, I am getting 403 instead.

I don’t know if this helps or not, but I have also noticed that the
console produced different output:

*Using non-keycloak client (Did not work - get 403)*

15:05:28,228 INFO  [org.keycloak.services.resources.TokenService]
(default task-1) no authorization header
15:05:28,345 INFO  [org.keycloak.audit] (default task-1) event=LOGIN,
realmId=ab9527ff-1dbe-4ce1-934c-ee2e1057d8b7, clientId=admin-client,
userId=58cfb6e9-9ff8-45a8-98bb-3a26b341b783, ipAddress=127.0.0.1,
username=roger@mailinator.com <mailto:username=roger@mailinator.com>,
response_type=token, auth_method=oauth_credentials,
refresh_token_id=3730424f-a718-4be8-a9fc-a090e5932564,
token_id=dd1bfeaa-54b1-4824-a6fe-d14eb1ae6f97
15:05:28,547 INFO  [org.keycloak.adapters.RequestAuthenticator] (default
task-2) --> authenticate()
15:05:28,548 INFO  [org.keycloak.adapters.RequestAuthenticator] (default
task-2) try bearer
15:05:28,566 INFO
 [org.keycloak.adapters.RefreshableKeycloakSecurityContext] (default
task-2) checking whether to refresh.
15:05:28,566 INFO
 [org.keycloak.adapters.undertow.KeycloakUndertowAccount] (default
task-2) use realm role mappings
15:05:28,571 INFO
 [org.keycloak.adapters.wildfly.WildflyRequestAuthenticator] (default
task-2) propagate security context to wildfly
15:05:28,571 INFO  [org.keycloak.adapters.RequestAuthenticator] (default
task-2) Bearer AUTHENTICATED


*Using keycloak app (similar to customer-cli sample) Work*

15:06:30,254 INFO  [org.keycloak.services.resources.TokenService]
(default task-1) createLogin() now...
15:06:39,965 INFO  [org.keycloak.audit] (default task-2) event=LOGIN,
realmId=ab9527ff-1dbe-4ce1-934c-ee2e1057d8b7, clientId=hellokeycloak,
userId=58cfb6e9-9ff8-45a8-98bb-3a26b341b783, ipAddress=127.0.0.1,
username=roger@mailinator.com <mailto:username=roger@mailinator.com>,
response_type=code, redirect_uri=http://localhost:59999,
auth_method=form, code_id=bd10d4cc-9f99-42df-b984-b92093f5a6af1405451199946
15:06:39,966 INFO
 [org.keycloak.services.managers.AuthenticationManager] (default
task-2) createLoginCookie
15:06:39,966 INFO
 [org.keycloak.services.managers.AuthenticationManager] (default
task-2) createIdentityToken
15:06:40,092 INFO  [org.keycloak.services.resources.TokenService]
(default task-3) no authorization header
15:06:40,119 INFO  [org.keycloak.audit] (default task-3)
event=CODE_TO_TOKEN, realmId=ab9527ff-1dbe-4ce1-934c-ee2e1057d8b7,
clientId=hellokeycloak, userId=58cfb6e9-9ff8-45a8-98bb-3a26b341b783,
ipAddress=127.0.0.1,
refresh_token_id=476b2f86-3df4-4cf6-8d51-55aa70264346,
code_id=bd10d4cc-9f99-42df-b984-b92093f5a6af1405451199946,
token_id=be0358ab-2c28-4bdc-a95c-681b63095217
15:06:46,567 INFO  [org.keycloak.adapters.RequestAuthenticator] (default
task-4) --> authenticate()
15:06:46,568 INFO  [org.keycloak.adapters.RequestAuthenticator] (default
task-4) try bearer
15:06:46,584 INFO
 [org.keycloak.adapters.RefreshableKeycloakSecurityContext] (default
task-4) checking whether to refresh.
15:06:46,584 INFO
 [org.keycloak.adapters.undertow.KeycloakUndertowAccount] (default
task-4) use realm role mappings
15:06:46,589 INFO
 [org.keycloak.adapters.wildfly.WildflyRequestAuthenticator] (default
task-4) propagate security context to wildfly
15:06:46,590 INFO  [org.keycloak.adapters.RequestAuthenticator] (default
task-4) Bearer AUTHENTICATED


-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com