3:48 p.m.
Hi,
I'm having problems setting up a postman collection to test my REST APIs.
I have first created the REST API without protecting it and test it with
Postman without a problem.
I then added protection with Keycloak and ran into issues with Postman (403
error). I wasn't sure if the problem was in my authorization
configuration or in my Postman collection. So, to make sure it wasn't an
authorization configuration problem, I decided to create a Postman
collection and use the photoz example as a model. In my Postman script, I
want to access photoz-restful-api but I'm still getting 403 error. The
photoz example does work when I use my web browser.
Here's what I did:
I added a postman client in keycloak under the photoz realm:
Client Id: postman
Protocol: openid-connect
Access Type: public
Direct Access enabled: ON
In Postman, I created 2 requests, one to get a token and the other one to
retrieve the list of album for the jdoe user
Here are the 2 requests:
POST http://localhost:8080/auth/realms/photoz/protocol/openid-connect/token
Content-Type:"application/x-www-form-urlencoded"
with the following body:
client_id:postman
grant_type:password
username:jdoe
password:jdoe
I'm receiving a this response: (token truncated for readability)
{
"access_token": "eyJhbGciOiJS...",
"expires_in": 300,
"refresh_expires_in": 1800,
"refresh_token": "eyJhbGciOiJS...,
"token_type": "bearer",
"id_token": "eyJhbGciOiJSUzI1N...",
"not-before-policy": 0,
"session_state": "cf71f9c6-78cc-4a41-8026-aca4eb86c9cd"
}
In the Tests tab of the request (still in postman), I extracted the access
token out of the response like this:
var tokens=JSON.parse(responseBody);
postman.setGlobalVariable("kcAccessToken", tokens.access_token);
===============
Here's how I created the GET album request
GET http://localhost:8080/photoz-restful-api/album/
Headers:
key=Authorization
value=Bearer {{kcAccessToken}}
I'm getting a 403 Forbidden error.
I obviously do something wrong. Can anybody please tell me what I do wrong?
Thanks,
Stephane
5:36 p.m.
Hi Stephane,
You are missing the step that actually obtain the token with the user
permissions. Please, take a look at Authorization API[1]. That PhotoZ
example is using UMA. When using this protocol, you need some additional
steps in order to obtain the RPT (the token with permissions) from the
server and use it to call your protected resources.
I would suggest you to check network calls using your browser or you can
also try to use the Entitlement API [1] directly. This API does not require
a permission ticket and only requires an access token to obtain the RPT.
[1]
https://www.keycloak.org/docs/3.0/authorization_services/topics/service/a...
.
[2]
https://www.keycloak.org/docs/3.0/authorization_services/topics/service/e...
1) Obtain a
Regards.
Pedro Igor
On Mon, Mar 20, 2017 at 5:48 PM, Stephane Granger <
stephane.granger(a)gmail.com> wrote:
Hi,
I'm having problems setting up a postman collection to test my REST APIs.
I have first created the REST API without protecting it and test it with
Postman without a problem.
I then added protection with Keycloak and ran into issues with Postman (403
error). I wasn't sure if the problem was in my authorization
configuration or in my Postman collection. So, to make sure it wasn't an
authorization configuration problem, I decided to create a Postman
collection and use the photoz example as a model. In my Postman script, I
want to access photoz-restful-api but I'm still getting 403 error. The
photoz example does work when I use my web browser.
Here's what I did:
I added a postman client in keycloak under the photoz realm:
Client Id: postman
Protocol: openid-connect
Access Type: public
Direct Access enabled: ON
In Postman, I created 2 requests, one to get a token and the other one to
retrieve the list of album for the jdoe user
Here are the 2 requests:
POST http://localhost:8080/auth/realms/photoz/protocol/openid-
connect/token
Content-Type:"application/x-www-form-urlencoded"
with the following body:
client_id:postman
grant_type:password
username:jdoe
password:jdoe
I'm receiving a this response: (token truncated for readability)
{
"access_token": "eyJhbGciOiJS...",
"expires_in": 300,
"refresh_expires_in": 1800,
"refresh_token": "eyJhbGciOiJS...,
"token_type": "bearer",
"id_token": "eyJhbGciOiJSUzI1N...",
"not-before-policy": 0,
"session_state": "cf71f9c6-78cc-4a41-8026-aca4eb86c9cd"
}
In the Tests tab of the request (still in postman), I extracted the access
token out of the response like this:
var tokens=JSON.parse(responseBody);
postman.setGlobalVariable("kcAccessToken", tokens.access_token);
===============
Here's how I created the GET album request
GET http://localhost:8080/photoz-restful-api/album/
Headers:
key=Authorization
value=Bearer {{kcAccessToken}}
I'm getting a 403 Forbidden error.
I obviously do something wrong. Can anybody please tell me what I do
wrong?
Thanks,
Stephane
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2849
days inactive
2849
days old
1 comments
2 participants
participants (2)
-
Pedro Igor Silva -
Stephane Granger