Thanks for this very informative answer.
I will stick with the application being confidential as you have explained that this is more correct.
However, WRT roles.
I have a realm role defined as ‘user’
The client Has this role as an ‘Effective role’ in the admin screens. Full scope allowed is off, and there are no application roles assigned (nor are they available)
I have the following in my web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>shift</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
and
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>shift</realm-name>
</login-config>
<security-role>
<role-name>user</role-name>
</security-role>
Is this correct? Have I missed something.
BTW Thanks for the help and thanks for Keycloak - It really is awesome!
Conrad
----- Original Message -----From: "Conrad Winchester" <conrad@mindless.com>
To: keycloak-user@lists.jboss.org
Sent: Monday, 22 September, 2014 8:45:11 AM
Subject: [keycloak-user] 1.0.1 Problems & Questions
Hi all,
I have just upgrade from 1.0-beta 3 to 1.0.1 final and am running into some
serious issues.
First a question: when will keycloak-core 1.0.1 be available from maven
central? I am having to use 1.0-final in my war - is that compatible with
1.0.1 keycloak war - which is running on my server.
Should have been there by now (it should be synced within 24h of a release), I've contacted the guys in charge to figure out what's going on. In the mean time you could add JBoss Nexus (https://developer.jboss.org/wiki/MavenRepository) and get it from there.
I upgraded by doing a complete wipe of the keycloak database, and
reinstalling 1.0.1 over my wildly configuration. I am able to use the
keycloak admin screens flawlessly.
Now onto my problem.
In 1.0.3-beta I used to have a access type bearer-only application which used
the rest api to register and login users to keycloak.
After upgrading I have found that even if I set the application to be
bearer-only, keycloak still throws an invalid redirect uri error whenever I
try to use the rest end points (surely this should not happen with a
bearer-only application). In order to fix this I have moved the application
over to access type confidential (it is sitting on the same server as
keycloak) - are there any pointers to the correct config for this in 1.0.1?
Basically my application is the backend to a mobile app that is using
keycloak for access control - at the moment I am not allowed to use the
keycloak login/register screens so must proxy it through the server. I am
now able to register users using this configuration, but would prefer to go
back to bearer-only
Bearer-only applications should not be able to register or login users at all, they should only be able to authenticate using bearer tokens.
I also have a Direct Grant Only client which I use for the mobile application
itself. I am able to get an access token by using the
TOKEN_SERVICE_DIRECT_GRANT_PATH via the proxy server but when I try to
access a resource with that bearer token set in the header I am still
getting an unauthorised response.
My applications keycloak.json looks like this
{
"realm" : "shift" ,
"realm-public-key" : “ **" ,
"auth-server-url" : " http://.../auth " ,
"ssl-required" : "none" ,
"resource" : "shift-server" ,
"credentials" : {
"secret" : “ **"
}
}
and my client JSON looks like this (although this is not put anywhere in my
application war)
{
"realm": "shift",
"realm-public-key": “***",
"auth-server-url": " http://.../auth ",
"ssl-required": "none",
"resource": "shift-ios",
"public-client": true
}
I can login in with a correct username and password setting the client id to
‘shift-ios’. However when I try to access a protected resource like this
GET /shift/feed HTTP/1.1
Host: www…..com
Connection: keep-alive
Accept: */*
User-Agent: shift-ios-client/1.0 CFNetwork/711.0.6 Darwin/14.0.0
Accept-Language: en-us
Authorization: Bearer
eyJhbGciOiJSUzI1NiJ9.eyJuYW………...5lXDBvPGu3bI7msV6Xh34g2PG1E2-d0GchWLFb4kGWofDbexDgIJoP1eeSHnKmahAHHbcl_LZkI3ayKYCgF-o3vfk0yh4T-zptEdK1EHFDndz4SkJlrPsyawueekf1mJD-drilFlL55nLIfFqjpaNdQDr5R3lAjUb0
Accept-Encoding: gzip, deflate
where the Bearer header is the access token I get from logging in, then I get
a 403 unauthorised response.
From a 403 it should mean that the application has successfully authenticated the user, but it doesn't have the correct roles.Have you checked that the application you used to obtain the login has the required scope, that the user has the required role mappings, and that your bearer-only application is configured to use the correct roles (it can use either the roles associated with the resource or the realm, 'use-resource-role-mappings' configures this and it defaults to false, which mean it uses realm roles).
This used to work perfectly in beta 3, but I seem unable to make this work in
1.0(.1) final.
Could this be because I am using 1.0-core instead of 1.0.1-core
Please help, as this has stopped all work on the product, and I am completely
stuck. Whats the best way to go about debugging this?
Conrad
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user