Pedro,
After further debugging I found out that following line in keycloak json is
causing the issue: "policy-enforcer": {}. If I remove this line, then 403
error is removed but I guess doing this disables authorization altogether.
2 questions on this:
1. When I have configured policies on the Admin console under the
authorization tab, why is this empty?
2. Is there a way to put some default values (not manually) in here to make
authorization work?
On Fri, Aug 10, 2018 at 5:17 PM, Pedro Igor Silva <psilva(a)redhat.com> wrote:
Yeah, it should be relative. I was wondering if the correct URI would
be
'/keycloak/secure/role' instead.
In any case, I would ask you to try the same deployment using tomcat or
wildfly to see how it goes. We have a few quickstarts running on these two.
Maybe you could also try to enable DEBUG log level to see how the policy
enforcer is matching URIs to your resources.
If none of them work, I can give a try and run jetty.
Regards.
Pedro Igor
On Fri, Aug 10, 2018 at 12:31 AM, keycloak demo <testoauth55(a)gmail.com>
wrote:
> Pedro, thanks for replying. I tried putting the absolute URI,but it does
> not work either. The documentation anyway states that the URI in resource
> can be relative to client root URL which I have configured to be
>
http://localhost:7200/{app}/keycloak , therefore putting relateve URI
'/secure/role'
> in resource should be equivalent to putting absolute URI :
>
http://localhost:7200/{app}/keycloak/secure/role';. Do you think, there
> is something else I can try?
>
> On Thu, Aug 9, 2018 at 6:01 PM, Pedro Igor Silva <psilva(a)redhat.com>
> wrote:
>
>> Hi,
>>
>> Your configuration looks correct. But I noticed that in the postman
>> request you are sending requests to `http://localhost:7200/{app}/k
>> eycloak/secure/role`
>> <
http://localhost:7200/%7Bapp%7D/keycloak/secure/role>. However in your
>> resource definition the URI is configured to `/secure/role`. Both URIs
>> should match otherwise the adapter won't be able to map the URI in your
>> application to a resource in Keycloak (and related permissions).
>>
>> Regards.
>> Pedro Igor
>>
>> On Thu, Aug 9, 2018 at 5:56 AM, keycloak demo <testoauth55(a)gmail.com>
>> wrote:
>>
>>> With all the configuration(shared below), when I test using the evaluate
>>> option under authorization tab, result is permit:
>>>
>>> *But when I make a request to this resource through postman, I get 403.*
>>>
>>> *Which part of configuration is wrong which is leading to 403 error?*
>>>
>>> CONFIGURATION:
>>>
>>>
>>> *Detailed configuration with images shown here:*
>>>
>>> *https://stackoverflow.com/questions/51761779/keycloak-403-f
>>> orbidden-error-while-accessing-rest-resource-where-as-evaluate-api
>>> <
https://stackoverflow.com/questions/51761779/keycloak-403-f
>>> orbidden-error-while-accessing-rest-resource-where-as-evaluate-api>*
>>>
>>> *1.* Following the <goog_1387888133>
>>>
https://www.keycloak.org/docs/4.2/authorization_services/ , I created a
>>> realm role : *role_special_user* and created a user : *user_special*
>>> with
>>> this role and role *user*.
>>>
>>> *2.* Next, my resource server / client is with *full scope enabled*:
>>> *3.* Under authorization tab, I created a resource with the role based
>>> policy is.
>>>
>>> *4.* Now, keycloak json is:
>>>
>>> {
>>> "realm": "demo12",
>>> "auth-server-url": "http://localhost:8180/auth",
>>> "ssl-required": "none",
>>> "resource": "server12",
>>> "credentials": {
>>> "secret": "XXXXXXX"
>>> },
>>> "confidential-port": 0,
>>> "policy-enforcer": {}}
>>>
>>> *5.* And Keycloak Jetty adapter configuration is:
>>>
>>> final String KEYCLOAK_JSON = Constants.KC_CONFIG_JSON_PATH;
>>> InputStream is =
>>> Thread.currentThread().getContextClassLoader().getResourceAs
>>> Stream(KEYCLOAK_JSON);AdapterConfig
>>> keyCloakConfig;ObjectMapper mapper = new ObjectMapper(new
>>> SystemPropertiesJsonParserFactory());
>>> mapper.setSerializationInclusion(JsonInclude.Include.NON_DEFAULT);
>>> keyCloakConfig = mapper.readValue(is, AdapterConfig.class);
>>> KeycloakJettyAuthenticator kcAuthenticator =
>>> KeyCloakConfig;if(kcAuthenticator != null) {
>>> ConstraintSecurityHandler securityHandler = new
>>> ConstraintSecurityHandler();
>>> ConstraintMapping constraintMapping = new ConstraintMapping();
>>> constraintMapping.setPathSpec("/*");
>>> Constraint constraint = new Constraint();
>>> constraint.setAuthenticate(true);
>>> constraint.setRoles(new String[]{"**"});
>>> constraintMapping.setConstraint(constraint);
>>> securityHandler.addConstraintMapping(constraintMapping);
>>> securityHandler.setAuthenticator(kcAuthenticator);
>>> context.setSecurityHandler(securityHandler);}
>>>
>>> *6.* Also, the decoded jwt token sample is:
>>>
>>> {
>>> "jti": "XXXXXXX",
>>> "exp": 1533798704,
>>> "nbf": 0,
>>> "iat": 1533798404,
>>> "iss": "http://localhost:8180/auth/realms/demo12",
>>> "aud": "server12",
>>> "sub": "XXXXXXX",
>>> "typ": "Bearer",
>>> "azp": "server12",
>>> "auth_time": 1533798404,
>>> "session_state": "XXXXXX",
>>> "acr": "1",
>>> "allowed-origins": [],
>>> "realm_access": {
>>> "roles": [
>>> "role_special_user",
>>> "offline_access",
>>> "uma_authorization",
>>> "user"
>>> ]
>>> },
>>> "resource_access": {
>>> "server12": {
>>> "roles": [
>>> "uma_protection"
>>> ]
>>> },
>>> "account": {
>>> "roles": [
>>> "manage-account",
>>> "manage-account-links",
>>> "view-profile"
>>> ]
>>> }
>>> },
>>> "scope": "openid email profile",
>>> "email_verified": false,
>>> "preferred_username": "user_special"}
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>