Pedro,
*2 queries *
*1.* After importing your updated realm, and trying to access
localhost:7200/myapp/secure/role , *according to the configuration, only
specialuser should be allowed to access this URL but I was able to access
this URL with other users as well(jdoe and alice). Also in all 3 users, I
was getting only 1 item in permission list i.e. Protected resource* :
[Permission {id=ce71e506-d2f5-4c8b-8c2b-00f282bfb7d5, name=Protected
Resource, scopes=[urn:servlet-authz:protected:resource:access]}]
At your end, was the behavior as expected i.e. only specialuser is able to
access this URL and permission list contains Special Resource in the list?
*2.* I am not updating URIs except for the first time, where I had to
change the port number in imported realm and I started my client app after
making this change. No change in urls was done after starting the client
app. Also, when I put:
"path-cache": {
"lifespan": 0,
"max-entries": 0
}
I start getting 403 for every URL and every user. But more weird is
point 1. If we can understand the behavior in point 1, we can resolve
it.
On Tue, Aug 28, 2018 at 11:42 PM Pedro Igor Silva <psilva(a)redhat.com> wrote:
Running the app in a separated server is not a problem.
If you delete the "protecter resource" you will get 403 because there is
no resource granting access to "/", "/index.jsp" or
"/protected/*".
Maybe what you are trying to achieve is someway to update URIs in Keycloak
and have those changes recognized by the policy enforcer in front of your
app ? If so, you can disable cache of paths/uris by adding the following
config to your policy-enforcer in keycloak.json:
"path-cache": {
"lifespan": 0,
"max-entries": 0
}
This will make the PEP invoke server all the time for resources and path
mapping.
By default, resource/path mapping is enabled and that avoids hits to the
server in order to fetch resources and their uris.
On Tue, Aug 28, 2018 at 12:27 PM, keycloak demo <testoauth55(a)gmail.com>
wrote:
> Thanks Pedro for quick turnaround.
>
> I have taken keycloak 4.3 installation. I imported the new realm and ran
> the app. However, still facing the same issue.* I am able to login with
> special user. But I am also able to login with jdoe (premium user) and
> alice(normal user) when actually only special user should be allowed and
> other 2 denied.* Also, in all 3 cases , I get only 1 item in permission
> list i.e. Protected resource ( resource having with URI : */**):
>
> [Permission {id=ce71e506-d2f5-4c8b-8c2b-00f282bfb7d5, name=Protected
> Resource, scopes=[urn:servlet-authz:protected:resource:access]}]
>
> *ALSO, I had to make a couple of changes for realm to work:*
>
> *1.* Just like I mentioned in my previous email, I changed port number
> in the client URLs to 7200 as my app is running on jetty on a different
> port outside keycloak. *(Could this be the reason that app is running on
> a different port and keycloak/wildfly is running on a different port? )*
>
> *2.* Second change I did was make Valid redirect URI as * in Client
> settings.I was getting 400 on specifying:
http://localhost:7200/myapp/* *(could
> this be an issue?) *
>
> NOTE: 403 would start coming if I delete resource named Protected
> Resource.
>
>
> On Tue, Aug 28, 2018 at 7:20 PM Pedro Igor Silva <psilva(a)redhat.com>
> wrote:
>
>> Hi,
>>
>> Could you please check changes I did in this branch
>>
https://github.com/pedroigor/keycloak-quickstarts/tree/tmp ?
>>
>> Basically, I have modified the realm settings to :
>>
>> * Include a new user granted with a "special" realm role
>> * Included a new "Special Resource" mapping to
"/secure/role/*"
>> * Include permission for "Special Resource" granting access only for
>> users with "special" role
>>
>> It seems to be working fine, but maybe I'm still missing something.
>> Would be nice if you could look at my changes, import the realm settings
>> and check how it is working.
>>
>> In addition to that, could you please try running Keycloak 4.3.0.Final ?
>>
>> Regards.
>> Pedro Igor
>>
>>
>> On Tue, Aug 28, 2018 at 2:37 AM, keycloak demo <testoauth55(a)gmail.com>
>> wrote:
>>
>>> Thanks Pedro for the update.
>>>
>>> Just to add details to my previous mail: From the sample app /
>>> quickstart app-authz-jee-servlet
>>>
<
https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-je...;:
>>> I use *jdoe *user to login which has premium permissions, but when I
>>> debug, I get only Protected resource in the permission list:
>>>
>>> *Permission {id=1ace954c-3de5-4f33-83f7-2822ce2b35fe, name=Protected
>>> Resource, scopes=[urn:servlet-authz:protected:resource:access]} *
>>>
>>> Only change I have done in realm imported from sample is replace root
>>> & base url in client:
http://localhost:8080/authz-servlet with
>>>
http://localhost:7200/myapp
>>> and the premium resource URI : /protected/premium/* with /secure/role/*
>>>
>>> (The URL I am accessing with above config and user jdoe on my client
>>> app is :
http://localhost:7200/myapp/secure/role)
>>>
>>> Could this be an issue that in my case my client app is running on a
>>> different port (as it is outside the wildfly server that is running
>>> keycloak)?
>>>
>>> On Mon, Aug 27, 2018 at 7:30 PM Pedro Igor Silva <psilva(a)redhat.com>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> Thanks for continuing looking at this. Let's do this, I'll do the
same
>>>> steps using Jetty to reproduce the issue, will let you know during this
>>>> week once I have something to share.
>>>>
>>>> Another weird thing is that the example actually should return all
>>>> permissions and make them available after the login. Will check how this
is
>>>> working with Jetty too. The tests we have in the quickstarts are
>>>> wildfly based ....
>>>>
>>>> On Mon, Aug 27, 2018 at 8:22 AM, keycloak demo
<testoauth55(a)gmail.com>
>>>> wrote:
>>>>
>>>>> I have tried 1 more thing: I have imported realm from one of the
>>>>> keycloak quickstarts
>>>>>
https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-je... and
>>>>> only replaced the URLs with my application URLs.
>>>>>
>>>>> But I get the same error *if* I remove the resource containing URI
>>>>> as */** (resource name is : *Protected Resource*). Furthermore, if i
>>>>> keep this resource (/*), I am able to authorize a user but putting a
>>>>> debugger in client app showed that authContext Permission list
contains
>>>>> only 1 resource i.e. Protected Resource. Although the user which
>>>>> authenticated was assigned the role contained in resource name:
Premium
>>>>> Resource. So ideally the Permission list must have contained this
resource
>>>>> as well. (I am mentioning the names - Protected, Premium as
mentioned in
>>>>> the keycloak quick start). I put in /* URI in my original app and
403
>>>>> stopped. But the permission array contained only this resource (with
URI /*)
>>>>>
>>>>> java.util.List<Permission> perms =
authzContext.getPermissions();
>>>>>
>>>>> ********To summarize the above test:*********
>>>>> *I get 403 error if a resource containing URI /* is not present. If
a
>>>>> URI containing /* is present, then I get only this resource in the
>>>>> Permissions Array / List in the java client app even if the resource
with
>>>>> specific URI like /app/secure contains valid role/policy/permission.
Also
>>>>> the evaluate API available under Authorization option shows result
as
>>>>> permit.*
>>>>>
>>>>> *Screenshots present
>>>>> here:
https://stackoverflow.com/questions/51761779/keycloak-403-forbidden-error...
>>>>>
<
https://stackoverflow.com/questions/51761779/keycloak-403-forbidden-error...
>>>>>
>>>>>
>>>>> On Mon, Aug 20, 2018 at 12:07 PM keycloak demo
<testoauth55(a)gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Pedro,
>>>>>>
>>>>>> Yes default permissions grant access to any resource in my
>>>>>> application (uri == /*). But problem starts when I specify a
resource with
>>>>>> specific URI (as described in configuration in my previous email
and also
>>>>>> here:
*https://stackoverflow.com/questions/51761779/keycloak-403-forbidden-error-while-accessing-rest-resource-where-as-evaluate-api
>>>>>>
<
https://stackoverflow.com/questions/51761779/keycloak-403-forbidden-error...
>>>>>> ).
>>>>>>
>>>>>> Just to summarize the real problem:
>>>>>>
>>>>>> Apart from default resource having `/*`, I have a second
resource
>>>>>> having URI: /secure/role/* and this resource also has a role
>>>>>> based policy to allow access to only users having role
"special", the
>>>>>> expected behavior is the users who don't have role
"special" should not be
>>>>>> able to access this resource, right?
>>>>>>
>>>>>> But I am able to access this resource with any user, any role. So
I
>>>>>> thought that may be default resource URI with '/*' is
overriding behavior
>>>>>> of second resource, so I changed default resource URI to
'/test/*', and
>>>>>> then I started receiving 403 error for accessing both
'/test' as well as
>>>>>> second resource ' /secure/role/* ' for all users
including user
>>>>>> with "special" role assigned.
>>>>>>
>>>>>> I looked into realm resource configuration in one of the quick
>>>>>> starts and the only difference I found was that quick start
resources
>>>>>> specify scope in each of resources whereas I have kept it blank.
Could this
>>>>>> be an issue.
>>>>>>
>>>>>> I understand you already spent time in trying to resolve this
but
>>>>>> problem still persists.
>>>>>>
>>>>>> On Fri, Aug 17, 2018 at 5:11 PM, Pedro Igor Silva
<psilva(a)redhat.com
>>>>>> > wrote:
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Fri, Aug 17, 2018 at 4:40 AM, keycloak demo <
>>>>>>> testoauth55(a)gmail.com> wrote:
>>>>>>>
>>>>>>>> Pedro,
>>>>>>>>
>>>>>>>> After further debugging I found out that following line
in
>>>>>>>> keycloak json is causing the issue:
"policy-enforcer": {}. If I
>>>>>>>> remove this line, then 403 error is removed but I guess
doing this disables
>>>>>>>> authorization altogether. 2 questions on this:
>>>>>>>> 1. When I have configured policies on the Admin console
under the
>>>>>>>> authorization tab, why is this empty?
>>>>>>>>
>>>>>>>
>>>>>>> I'm not sure. When you enable authorization services to a
client
>>>>>>> default resource/permissions are created. Where these
permissions grant
>>>>>>> access to any resource in your application (uri == /*).
>>>>>>>
>>>>>>>
>>>>>>>> 2. Is there a way to put some default values (not
manually) in
>>>>>>>> here to make authorization work?
>>>>>>>>
>>>>>>>
>>>>>>> Like I said, when you just enable the authorization services
>>>>>>> switch, default settings are created automatically.
>>>>>>>
>>>>>>> Did you try to run any of our quickstarts ?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>> On Fri, Aug 10, 2018 at 5:17 PM, Pedro Igor Silva <
>>>>>>>> psilva(a)redhat.com> wrote:
>>>>>>>>
>>>>>>>>> Yeah, it should be relative. I was wondering if the
correct URI
>>>>>>>>> would be '/keycloak/secure/role' instead.
>>>>>>>>>
>>>>>>>>> In any case, I would ask you to try the same
deployment using
>>>>>>>>> tomcat or wildfly to see how it goes. We have a few
quickstarts running on
>>>>>>>>> these two. Maybe you could also try to enable DEBUG
log level to see how
>>>>>>>>> the policy enforcer is matching URIs to your
resources.
>>>>>>>>>
>>>>>>>>> If none of them work, I can give a try and run
jetty.
>>>>>>>>>
>>>>>>>>> Regards.
>>>>>>>>> Pedro Igor
>>>>>>>>>
>>>>>>>>> On Fri, Aug 10, 2018 at 12:31 AM, keycloak demo <
>>>>>>>>> testoauth55(a)gmail.com> wrote:
>>>>>>>>>
>>>>>>>>>> Pedro, thanks for replying. I tried putting the
absolute URI,but
>>>>>>>>>> it does not work either. The documentation anyway
states that the URI in
>>>>>>>>>> resource can be relative to client root URL which
I have configured to be
>>>>>>>>>>
http://localhost:7200/{app}/keycloak , therefore
>>>>>>>>>> putting relateve URI '/secure/role' in
resource should be
>>>>>>>>>> equivalent to putting absolute URI :
>>>>>>>>>>
http://localhost:7200/{app}/keycloak/secure/role';. Do you
>>>>>>>>>> think, there is something else I can try?
>>>>>>>>>>
>>>>>>>>>> On Thu, Aug 9, 2018 at 6:01 PM, Pedro Igor Silva
<
>>>>>>>>>> psilva(a)redhat.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> Hi,
>>>>>>>>>>>
>>>>>>>>>>> Your configuration looks correct. But I
noticed that in the
>>>>>>>>>>> postman request you are sending requests to
`
>>>>>>>>>>>
http://localhost:7200/{app}/keycloak/secure/role`
>>>>>>>>>>>
<
http://localhost:7200/%7Bapp%7D/keycloak/secure/role>.
>>>>>>>>>>> However in your resource definition the URI
is configured to
>>>>>>>>>>> `/secure/role`. Both URIs should match
otherwise the adapter won't be able
>>>>>>>>>>> to map the URI in your application to a
resource in Keycloak (and related
>>>>>>>>>>> permissions).
>>>>>>>>>>>
>>>>>>>>>>> Regards.
>>>>>>>>>>> Pedro Igor
>>>>>>>>>>>
>>>>>>>>>>> On Thu, Aug 9, 2018 at 5:56 AM, keycloak demo
<
>>>>>>>>>>> testoauth55(a)gmail.com> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> With all the configuration(shared below),
when I test using
>>>>>>>>>>>> the evaluate
>>>>>>>>>>>> option under authorization tab, result is
permit:
>>>>>>>>>>>>
>>>>>>>>>>>> *But when I make a request to this
resource through postman, I
>>>>>>>>>>>> get 403.*
>>>>>>>>>>>>
>>>>>>>>>>>> *Which part of configuration is wrong
which is leading to 403
>>>>>>>>>>>> error?*
>>>>>>>>>>>>
>>>>>>>>>>>> CONFIGURATION:
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> *Detailed configuration with images shown
here:*
>>>>>>>>>>>>
>>>>>>>>>>>> *
>>>>>>>>>>>>
https://stackoverflow.com/questions/51761779/keycloak-403-forbidden-error...
>>>>>>>>>>>> <
>>>>>>>>>>>>
https://stackoverflow.com/questions/51761779/keycloak-403-forbidden-error...
>>>>>>>>>>>> >*
>>>>>>>>>>>>
>>>>>>>>>>>> *1.* Following the
<goog_1387888133>
>>>>>>>>>>>>
https://www.keycloak.org/docs/4.2/authorization_services/ , I
>>>>>>>>>>>> created a
>>>>>>>>>>>> realm role : *role_special_user* and
created a user :
>>>>>>>>>>>> *user_special* with
>>>>>>>>>>>> this role and role *user*.
>>>>>>>>>>>>
>>>>>>>>>>>> *2.* Next, my resource server / client is
with *full scope
>>>>>>>>>>>> enabled*:
>>>>>>>>>>>> *3.* Under authorization tab, I created a
resource with the
>>>>>>>>>>>> role based
>>>>>>>>>>>> policy is.
>>>>>>>>>>>>
>>>>>>>>>>>> *4.* Now, keycloak json is:
>>>>>>>>>>>>
>>>>>>>>>>>> {
>>>>>>>>>>>> "realm": "demo12",
>>>>>>>>>>>> "auth-server-url":
"http://localhost:8180/auth",
>>>>>>>>>>>> "ssl-required":
"none",
>>>>>>>>>>>> "resource":
"server12",
>>>>>>>>>>>> "credentials": {
>>>>>>>>>>>> "secret":
"XXXXXXX"
>>>>>>>>>>>> },
>>>>>>>>>>>> "confidential-port": 0,
>>>>>>>>>>>> "policy-enforcer": {}}
>>>>>>>>>>>>
>>>>>>>>>>>> *5.* And Keycloak Jetty adapter
configuration is:
>>>>>>>>>>>>
>>>>>>>>>>>> final String KEYCLOAK_JSON =
Constants.KC_CONFIG_JSON_PATH;
>>>>>>>>>>>> InputStream is =
>>>>>>>>>>>>
>>>>>>>>>>>>
Thread.currentThread().getContextClassLoader().getResourceAsStream(KEYCLOAK_JSON);AdapterConfig
>>>>>>>>>>>> keyCloakConfig;ObjectMapper mapper = new
ObjectMapper(new
>>>>>>>>>>>> SystemPropertiesJsonParserFactory());
>>>>>>>>>>>>
>>>>>>>>>>>>
mapper.setSerializationInclusion(JsonInclude.Include.NON_DEFAULT);
>>>>>>>>>>>> keyCloakConfig = mapper.readValue(is,
AdapterConfig.class);
>>>>>>>>>>>> KeycloakJettyAuthenticator
kcAuthenticator =
>>>>>>>>>>>> KeyCloakConfig;if(kcAuthenticator !=
null) {
>>>>>>>>>>>> ConstraintSecurityHandler
securityHandler = new
>>>>>>>>>>>> ConstraintSecurityHandler();
>>>>>>>>>>>> ConstraintMapping constraintMapping =
new
>>>>>>>>>>>> ConstraintMapping();
>>>>>>>>>>>>
constraintMapping.setPathSpec("/*");
>>>>>>>>>>>> Constraint constraint = new
Constraint();
>>>>>>>>>>>> constraint.setAuthenticate(true);
>>>>>>>>>>>> constraint.setRoles(new
String[]{"**"});
>>>>>>>>>>>>
constraintMapping.setConstraint(constraint);
>>>>>>>>>>>>
securityHandler.addConstraintMapping(constraintMapping);
>>>>>>>>>>>>
securityHandler.setAuthenticator(kcAuthenticator);
>>>>>>>>>>>>
context.setSecurityHandler(securityHandler);}
>>>>>>>>>>>>
>>>>>>>>>>>> *6.* Also, the decoded jwt token sample
is:
>>>>>>>>>>>>
>>>>>>>>>>>> {
>>>>>>>>>>>> "jti": "XXXXXXX",
>>>>>>>>>>>> "exp": 1533798704,
>>>>>>>>>>>> "nbf": 0,
>>>>>>>>>>>> "iat": 1533798404,
>>>>>>>>>>>> "iss":
"http://localhost:8180/auth/realms/demo12",
>>>>>>>>>>>> "aud": "server12",
>>>>>>>>>>>> "sub": "XXXXXXX",
>>>>>>>>>>>> "typ": "Bearer",
>>>>>>>>>>>> "azp": "server12",
>>>>>>>>>>>> "auth_time": 1533798404,
>>>>>>>>>>>> "session_state":
"XXXXXX",
>>>>>>>>>>>> "acr": "1",
>>>>>>>>>>>> "allowed-origins": [],
>>>>>>>>>>>> "realm_access": {
>>>>>>>>>>>> "roles": [
>>>>>>>>>>>> "role_special_user",
>>>>>>>>>>>> "offline_access",
>>>>>>>>>>>> "uma_authorization",
>>>>>>>>>>>> "user"
>>>>>>>>>>>> ]
>>>>>>>>>>>> },
>>>>>>>>>>>> "resource_access": {
>>>>>>>>>>>> "server12": {
>>>>>>>>>>>> "roles": [
>>>>>>>>>>>> "uma_protection"
>>>>>>>>>>>> ]
>>>>>>>>>>>> },
>>>>>>>>>>>> "account": {
>>>>>>>>>>>> "roles": [
>>>>>>>>>>>> "manage-account",
>>>>>>>>>>>>
"manage-account-links",
>>>>>>>>>>>> "view-profile"
>>>>>>>>>>>> ]
>>>>>>>>>>>> }
>>>>>>>>>>>> },
>>>>>>>>>>>> "scope": "openid email
profile",
>>>>>>>>>>>> "email_verified": false,
>>>>>>>>>>>> "preferred_username":
"user_special"}
>>>>>>>>>>>>
_______________________________________________
>>>>>>>>>>>> keycloak-user mailing list
>>>>>>>>>>>> keycloak-user(a)lists.jboss.org
>>>>>>>>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>
>>