Hi Pedro,
It seems like this problem was due to a misunderstanding on how the
bearer-only configuration works. It never goes to the server to request
additional Authorizations, so anything that is not in the access token is
automatically marked as DENIED.
Setting bearer-only to false made the authorization work by using
either KeycloakAdapterPolicyEnforcer
or BearerTokenPolicyEnforcer.
Thanks!
On Mon, Mar 27, 2017 at 10:01 AM, Pedro Igor Silva <psilva(a)redhat.com>
wrote:
Hey Gabriel, thanks for looking this.
The configuration happens on org.keycloak.adapters.autho
rization.PolicyEnforcer.
Regards.
Pedro Igor
On Mon, Mar 27, 2017 at 9:43 AM, Gabriel Trisca <gtrisca(a)cignifi.com>
wrote:
> Hi Pedro,
>
> I have the whole Keycloak project locally (about to create a pull request
> on a different bug). Can you point me towards where the Authz configuration
> happens? I could take a look.
>
> On Mon, Mar 27, 2017 at 8:00 AM, Pedro Igor Silva <psilva(a)redhat.com>
> wrote:
>
>> Hi Gabriel,
>>
>> I need to check this out. It has been a while from last time I checked
>> AuthZ with Jetty.
>>
>> Regards.
>> Pedro Igor
>>
>> On Fri, Mar 24, 2017 at 8:22 PM, Gabriel Trisca <gtrisca(a)cignifi.com>
>> wrote:
>>
>>> Hello,
>>>
>>> I'm attempting to set up resource permission enforcement on a simple
>>> Dropwizard application (Jersey->Jetty).
>>>
>>> I believe the PolicyEnforcer is set up correctly, because I see
>>> debugging
>>> info along these lines:
>>>
>>> DEBUG [19:04:23.574] [dw-41] o.k.a.PreAuthActionsHandler -
>>> adminRequest
>>>
http://localhost:9090/v1/XXXX
>>> DEBUG [19:04:23.601] [dw-41] o.k.a.j.c.JettyRequestAuthenticator -
>>> Completing bearer authentication. Bearer roles: [uma_authorization]
>>> DEBUG [19:04:23.601] [dw-41] o.k.a.RequestAuthenticator - User
>>> 'c9e8208e-56f5-42e0-9efb-f8d05600f5de' invoking '
>>>
http://localhost:9090/v1/XXXX' on client 'XXXX-api'
>>> DEBUG [19:04:23.601] [dw-41] o.k.a.RequestAuthenticator - Bearer
>>> AUTHENTICATED
>>> DEBUG [19:04:27.781] [dw-41] o.k.a.AuthenticatedActionsHandler -
>>> AuthenticatedActionsValve.invoke
http://localhost:9090/v1/XXXX
>>> DEBUG [19:04:30.341] [dw-41] o.k.a.a.PolicyEnforcer - Policy
>>> enforcement
>>> is enable. Enforcing policy decisions for path [
>>>
http://localhost:9090/v1/XXXX].
>>> DEBUG [19:05:22.741] [dw-41] o.k.a.a.AbstractPolicyEnforcer - Checking
>>> permissions for path [
http://localhost:9090/v1/XXXX] with config
>>> [PathConfig{name='XXXX Resources', type='uma:XXXXXX',
path='/v1/XXXX/*',
>>> scopes=[], id='43bd3cdf-c15b-487a-a259-79e8de00d764',
>>> enforcerMode='ENFORCING'}].
>>> DEBUG [19:11:56.719] [dw-41] o.k.a.a.PolicyEnforcer - Policy
>>> enforcement
>>> result for path [
http://localhost:9090/v1/XXXX] is : DENIED
>>> DEBUG [19:11:56.719] [dw-41] o.k.a.a.PolicyEnforcer - Returning
>>> authorization context with permissions:
>>> 127.0.0.1 - c9e8208e-56f5-42e0-9efb-f8d05600f5de [24/Mar/2017:23:11:56
>>> +0000] "GET /v1/XXXX HTTP/1.1" 401 0 "-"
"Mozilla/5.0 (X11; Linux
>>> x86_64)
>>> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87
>>> Safari/537.36"
>>> 453164
>>>
>>>
>>> Specifically, the error occurs when Keycloak attempts to retrieve an
>>> "Authorization" object from the AccessToken. This authorization
object
>>> is
>>> always null and the permissions cannot be loaded.
>>>
>>> Without permissions, the request is marked as Unauthorized.
>>>
>>> Is there something that I'm missing here? As far as I know everything is
>>> configured correctly, I can evaluate policies on the Keycloak admin
>>> console, and the client is set up as access type "confidential". I
can
>>> see
>>> the resource definitions from Keycloak being loaded when the app
>>> launches.
>>>
>>> Any help greatly appreciated.
>>>
>>> --
>>> *Gabriel Trisca, Software Developer*
>>> Cignifi | 101 Main Street, 14th Floor, Cambridge, MA 02142 USA
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
>
> --
> *Gabriel Trisca, Software Developer*
> Cignifi | 101 Main Street, 14th Floor, Cambridge, MA 02142 USA
>
--
*Gabriel Trisca, Software Developer*
Cignifi | 101 Main Street, 14th Floor, Cambridge, MA 02142 USA