1:45 a.m.
Hi all,
I have just upgrade from 1.0-beta 3 to 1.0.1 final and am running into some serious
issues.
First a question: when will keycloak-core 1.0.1 be available from maven central? I am
having to use 1.0-final in my war - is that compatible with 1.0.1 keycloak war - which is
running on my server.
I upgraded by doing a complete wipe of the keycloak database, and reinstalling 1.0.1 over
my wildly configuration. I am able to use the keycloak admin screens flawlessly.
Now onto my problem.
In 1.0.3-beta I used to have a access type bearer-only application which used the rest api
to register and login users to keycloak.
After upgrading I have found that even if I set the application to be bearer-only,
keycloak still throws an invalid redirect uri error whenever I try to use the rest end
points (surely this should not happen with a bearer-only application). In order to fix
this I have moved the application over to access type confidential (it is sitting on the
same server as keycloak) - are there any pointers to the correct config for this in 1.0.1?
Basically my application is the backend to a mobile app that is using keycloak for access
control - at the moment I am not allowed to use the keycloak login/register screens so
must proxy it through the server. I am now able to register users using this
configuration, but would prefer to go back to bearer-only
I also have a Direct Grant Only client which I use for the mobile application itself. I am
able to get an access token by using the TOKEN_SERVICE_DIRECT_GRANT_PATH via the proxy
server but when I try to access a resource with that bearer token set in the header I am
still getting an unauthorised response.
My applications keycloak.json looks like this
{
"realm": "shift",
"realm-public-key": “**",
"auth-server-url": "http://.../auth",
"ssl-required": "none",
"resource": "shift-server",
"credentials": {
"secret": “**"
}
}
and my client JSON looks like this (although this is not put anywhere in my application
war)
{
"realm": "shift",
"realm-public-key": “***",
"auth-server-url": "http://.../auth",
"ssl-required": "none",
"resource": "shift-ios",
"public-client": true
}
I can login in with a correct username and password setting the client id to ‘shift-ios’.
However when I try to access a protected resource like this
GET /shift/feed HTTP/1.1
Host: www…..com
Connection: keep-alive
Accept: */*
User-Agent: shift-ios-client/1.0 CFNetwork/711.0.6 Darwin/14.0.0
Accept-Language: en-us
Authorization: Bearer
eyJhbGciOiJSUzI1NiJ9.eyJuYW………...5lXDBvPGu3bI7msV6Xh34g2PG1E2-d0GchWLFb4kGWofDbexDgIJoP1eeSHnKmahAHHbcl_LZkI3ayKYCgF-o3vfk0yh4T-zptEdK1EHFDndz4SkJlrPsyawueekf1mJD-drilFlL55nLIfFqjpaNdQDr5R3lAjUb0
Accept-Encoding: gzip, deflate
where the Bearer header is the access token I get from logging in, then I get a 403
unauthorised response.
This used to work perfectly in beta 3, but I seem unable to make this work in 1.0(.1)
final.
Could this be because I am using 1.0-core instead of 1.0.1-core
Please help, as this has stopped all work on the product, and I am completely stuck. Whats
the best way to go about debugging this?
Conrad
3:05 a.m.
----- Original Message -----
From: "Conrad Winchester" <conrad(a)mindless.com>
To: keycloak-user(a)lists.jboss.org
Sent: Monday, 22 September, 2014 8:45:11 AM
Subject: [keycloak-user] 1.0.1 Problems & Questions
Hi all,
I have just upgrade from 1.0-beta 3 to 1.0.1 final and am running into some
serious issues.
First a question: when will keycloak-core 1.0.1 be available from maven
central? I am having to use 1.0-final in my war - is that compatible with
1.0.1 keycloak war - which is running on my server.
Should have been there by now (it should be synced within 24h of a release), I've
contacted the guys in charge to figure out what's going on. In the mean time you could
add JBoss Nexus (https://developer.jboss.org/wiki/MavenRepository) and get it from there.
I upgraded by doing a complete wipe of the keycloak database, and
reinstalling 1.0.1 over my wildly configuration. I am able to use the
keycloak admin screens flawlessly.
Now onto my problem.
In 1.0.3-beta I used to have a access type bearer-only application which used
the rest api to register and login users to keycloak.
After upgrading I have found that even if I set the application to be
bearer-only, keycloak still throws an invalid redirect uri error whenever I
try to use the rest end points (surely this should not happen with a
bearer-only application). In order to fix this I have moved the application
over to access type confidential (it is sitting on the same server as
keycloak) - are there any pointers to the correct config for this in 1.0.1?
Basically my application is the backend to a mobile app that is using
keycloak for access control - at the moment I am not allowed to use the
keycloak login/register screens so must proxy it through the server. I am
now able to register users using this configuration, but would prefer to go
back to bearer-only
Bearer-only applications should not be able to register or login users at all, they should
only be able to authenticate using bearer tokens.
I also have a Direct Grant Only client which I use for the mobile application
itself. I am able to get an access token by using the
TOKEN_SERVICE_DIRECT_GRANT_PATH via the proxy server but when I try to
access a resource with that bearer token set in the header I am still
getting an unauthorised response.
My applications keycloak.json looks like this
{
"realm" : "shift" ,
"realm-public-key" : “ **" ,
"auth-server-url" : " http://.../auth " ,
"ssl-required" : "none" ,
"resource" : "shift-server" ,
"credentials" : {
"secret" : “ **"
}
}
and my client JSON looks like this (although this is not put anywhere in my
application war)
{
"realm": "shift",
"realm-public-key": “***",
"auth-server-url": " http://.../auth ",
"ssl-required": "none",
"resource": "shift-ios",
"public-client": true
}
I can login in with a correct username and password setting the client id to
‘shift-ios’. However when I try to access a protected resource like this
GET /shift/feed HTTP/1.1
Host: www…..com
Connection: keep-alive
Accept: */*
User-Agent: shift-ios-client/1.0 CFNetwork/711.0.6 Darwin/14.0.0
Accept-Language: en-us
Authorization: Bearer
eyJhbGciOiJSUzI1NiJ9.eyJuYW………...5lXDBvPGu3bI7msV6Xh34g2PG1E2-d0GchWLFb4kGWofDbexDgIJoP1eeSHnKmahAHHbcl_LZkI3ayKYCgF-o3vfk0yh4T-zptEdK1EHFDndz4SkJlrPsyawueekf1mJD-drilFlL55nLIfFqjpaNdQDr5R3lAjUb0
Accept-Encoding: gzip, deflate
where the Bearer header is the access token I get from logging in, then I get
a 403 unauthorised response.
From a 403 it should mean that the application has successfully
authenticated the user, but it doesn't have the correct roles.
Have you checked that the application you used to obtain the login has the required scope,
that the user has the required role mappings, and that your bearer-only application is
configured to use the correct roles (it can use either the roles associated with the
resource or the realm, 'use-resource-role-mappings' configures this and it
defaults to false, which mean it uses realm roles).
This used to work perfectly in beta 3, but I seem unable to make this work in
1.0(.1) final.
Could this be because I am using 1.0-core instead of 1.0.1-core
Please help, as this has stopped all work on the product, and I am completely
stuck. Whats the best way to go about debugging this?
Conrad
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
3:29 a.m.
Thanks for this very informative answer.
I will stick with the application being confidential as you have explained that this is
more correct.
However, WRT roles.
I have a realm role defined as ‘user’
The client Has this role as an ‘Effective role’ in the admin screens. Full scope allowed
is off, and there are no application roles assigned (nor are they available)
I have the following in my web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>shift</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
and
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>shift</realm-name>
</login-config>
<security-role>
<role-name>user</role-name>
</security-role>
Is this correct? Have I missed something.
BTW Thanks for the help and thanks for Keycloak - It really is awesome!
Conrad
On 22 Sep 2014, at 09:05, Stian Thorgersen <stian(a)redhat.com>
wrote:
----- Original Message -----
> From: "Conrad Winchester" <conrad(a)mindless.com
<mailto:conrad@mindless.com>>
> To: keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
> Sent: Monday, 22 September, 2014 8:45:11 AM
> Subject: [keycloak-user] 1.0.1 Problems & Questions
>
> Hi all,
>
> I have just upgrade from 1.0-beta 3 to 1.0.1 final and am running into some
> serious issues.
>
> First a question: when will keycloak-core 1.0.1 be available from maven
> central? I am having to use 1.0-final in my war - is that compatible with
> 1.0.1 keycloak war - which is running on my server.
Should have been there by now (it should be synced within 24h of a release), I've
contacted the guys in charge to figure out what's going on. In the mean time you could
add JBoss Nexus (https://developer.jboss.org/wiki/MavenRepository
<https://developer.jboss.org/wiki/MavenRepository>) and get it from there.
>
> I upgraded by doing a complete wipe of the keycloak database, and
> reinstalling 1.0.1 over my wildly configuration. I am able to use the
> keycloak admin screens flawlessly.
>
> Now onto my problem.
>
> In 1.0.3-beta I used to have a access type bearer-only application which used
> the rest api to register and login users to keycloak.
>
> After upgrading I have found that even if I set the application to be
> bearer-only, keycloak still throws an invalid redirect uri error whenever I
> try to use the rest end points (surely this should not happen with a
> bearer-only application). In order to fix this I have moved the application
> over to access type confidential (it is sitting on the same server as
> keycloak) - are there any pointers to the correct config for this in 1.0.1?
> Basically my application is the backend to a mobile app that is using
> keycloak for access control - at the moment I am not allowed to use the
> keycloak login/register screens so must proxy it through the server. I am
> now able to register users using this configuration, but would prefer to go
> back to bearer-only
Bearer-only applications should not be able to register or login users at all, they
should only be able to authenticate using bearer tokens.
>
> I also have a Direct Grant Only client which I use for the mobile application
> itself. I am able to get an access token by using the
> TOKEN_SERVICE_DIRECT_GRANT_PATH via the proxy server but when I try to
> access a resource with that bearer token set in the header I am still
> getting an unauthorised response.
>
> My applications keycloak.json looks like this
>
> {
> "realm" : "shift" ,
> "realm-public-key" : “ **" ,
> "auth-server-url" : " http://.../auth " ,
> "ssl-required" : "none" ,
> "resource" : "shift-server" ,
> "credentials" : {
> "secret" : “ **"
> }
> }
>
> and my client JSON looks like this (although this is not put anywhere in my
> application war)
>
> {
> "realm": "shift",
> "realm-public-key": “***",
> "auth-server-url": " http://.../auth ",
> "ssl-required": "none",
> "resource": "shift-ios",
> "public-client": true
> }
>
> I can login in with a correct username and password setting the client id to
> ‘shift-ios’. However when I try to access a protected resource like this
>
> GET /shift/feed HTTP/1.1
> Host: www…..com
> Connection: keep-alive
> Accept: */*
> User-Agent: shift-ios-client/1.0 CFNetwork/711.0.6 Darwin/14.0.0
> Accept-Language: en-us
> Authorization: Bearer
>
eyJhbGciOiJSUzI1NiJ9.eyJuYW………...5lXDBvPGu3bI7msV6Xh34g2PG1E2-d0GchWLFb4kGWofDbexDgIJoP1eeSHnKmahAHHbcl_LZkI3ayKYCgF-o3vfk0yh4T-zptEdK1EHFDndz4SkJlrPsyawueekf1mJD-drilFlL55nLIfFqjpaNdQDr5R3lAjUb0
> Accept-Encoding: gzip, deflate
>
> where the Bearer header is the access token I get from logging in, then I get
> a 403 unauthorised response.
From a 403 it should mean that the application has successfully authenticated the user,
but it doesn't have the correct roles.
Have you checked that the application you used to obtain the login has the required
scope, that the user has the required role mappings, and that your bearer-only application
is configured to use the correct roles (it can use either the roles associated with the
resource or the realm, 'use-resource-role-mappings' configures this and it
defaults to false, which mean it uses realm roles).
>
> This used to work perfectly in beta 3, but I seem unable to make this work in
> 1.0(.1) final.
>
> Could this be because I am using 1.0-core instead of 1.0.1-core
>
> Please help, as this has stopped all work on the product, and I am completely
> stuck. Whats the best way to go about debugging this?
>
> Conrad
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
<https://lists.jboss.org/mailman/listinfo/keycloak-user>
5:17 a.m.
I have now also tried using application roles, but unfortunately that did not change the
behaviour at all.
Am I supposed to install the client JSON file anywhere?
Conrad
On 22 Sep 2014, at 09:29, Conrad Winchester
<conrad(a)mindless.com> wrote:
Thanks for this very informative answer.
I will stick with the application being confidential as you have explained that this is
more correct.
However, WRT roles.
I have a realm role defined as ‘user’
The client Has this role as an ‘Effective role’ in the admin screens. Full scope allowed
is off, and there are no application roles assigned (nor are they available)
I have the following in my web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>shift</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
and
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>shift</realm-name>
</login-config>
<security-role>
<role-name>user</role-name>
</security-role>
Is this correct? Have I missed something.
BTW Thanks for the help and thanks for Keycloak - It really is awesome!
Conrad
> On 22 Sep 2014, at 09:05, Stian Thorgersen <stian(a)redhat.com
<mailto:stian@redhat.com>> wrote:
>
>
>
> ----- Original Message -----
>> From: "Conrad Winchester" <conrad(a)mindless.com
<mailto:conrad@mindless.com>>
>> To: keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
>> Sent: Monday, 22 September, 2014 8:45:11 AM
>> Subject: [keycloak-user] 1.0.1 Problems & Questions
>>
>> Hi all,
>>
>> I have just upgrade from 1.0-beta 3 to 1.0.1 final and am running into some
>> serious issues.
>>
>> First a question: when will keycloak-core 1.0.1 be available from maven
>> central? I am having to use 1.0-final in my war - is that compatible with
>> 1.0.1 keycloak war - which is running on my server.
>
> Should have been there by now (it should be synced within 24h of a release), I've
contacted the guys in charge to figure out what's going on. In the mean time you could
add JBoss Nexus (https://developer.jboss.org/wiki/MavenRepository
<https://developer.jboss.org/wiki/MavenRepository>) and get it from there.
>
>>
>> I upgraded by doing a complete wipe of the keycloak database, and
>> reinstalling 1.0.1 over my wildly configuration. I am able to use the
>> keycloak admin screens flawlessly.
>>
>> Now onto my problem.
>>
>> In 1.0.3-beta I used to have a access type bearer-only application which used
>> the rest api to register and login users to keycloak.
>>
>> After upgrading I have found that even if I set the application to be
>> bearer-only, keycloak still throws an invalid redirect uri error whenever I
>> try to use the rest end points (surely this should not happen with a
>> bearer-only application). In order to fix this I have moved the application
>> over to access type confidential (it is sitting on the same server as
>> keycloak) - are there any pointers to the correct config for this in 1.0.1?
>> Basically my application is the backend to a mobile app that is using
>> keycloak for access control - at the moment I am not allowed to use the
>> keycloak login/register screens so must proxy it through the server. I am
>> now able to register users using this configuration, but would prefer to go
>> back to bearer-only
>
> Bearer-only applications should not be able to register or login users at all, they
should only be able to authenticate using bearer tokens.
>
>>
>> I also have a Direct Grant Only client which I use for the mobile application
>> itself. I am able to get an access token by using the
>> TOKEN_SERVICE_DIRECT_GRANT_PATH via the proxy server but when I try to
>> access a resource with that bearer token set in the header I am still
>> getting an unauthorised response.
>>
>> My applications keycloak.json looks like this
>>
>> {
>> "realm" : "shift" ,
>> "realm-public-key" : “ **" ,
>> "auth-server-url" : " http://.../auth <http://.../auth>
" ,
>> "ssl-required" : "none" ,
>> "resource" : "shift-server" ,
>> "credentials" : {
>> "secret" : “ **"
>> }
>> }
>>
>> and my client JSON looks like this (although this is not put anywhere in my
>> application war)
>>
>> {
>> "realm": "shift",
>> "realm-public-key": “***",
>> "auth-server-url": " http://.../auth <http://.../auth>
",
>> "ssl-required": "none",
>> "resource": "shift-ios",
>> "public-client": true
>> }
>>
>> I can login in with a correct username and password setting the client id to
>> ‘shift-ios’. However when I try to access a protected resource like this
>>
>> GET /shift/feed HTTP/1.1
>> Host: www…..com
>> Connection: keep-alive
>> Accept: */*
>> User-Agent: shift-ios-client/1.0 CFNetwork/711.0.6 Darwin/14.0.0
>> Accept-Language: en-us
>> Authorization: Bearer
>>
eyJhbGciOiJSUzI1NiJ9.eyJuYW………...5lXDBvPGu3bI7msV6Xh34g2PG1E2-d0GchWLFb4kGWofDbexDgIJoP1eeSHnKmahAHHbcl_LZkI3ayKYCgF-o3vfk0yh4T-zptEdK1EHFDndz4SkJlrPsyawueekf1mJD-drilFlL55nLIfFqjpaNdQDr5R3lAjUb0
>> Accept-Encoding: gzip, deflate
>>
>> where the Bearer header is the access token I get from logging in, then I get
>> a 403 unauthorised response.
>
> From a 403 it should mean that the application has successfully authenticated the
user, but it doesn't have the correct roles.
>
> Have you checked that the application you used to obtain the login has the required
scope, that the user has the required role mappings, and that your bearer-only application
is configured to use the correct roles (it can use either the roles associated with the
resource or the realm, 'use-resource-role-mappings' configures this and it
defaults to false, which mean it uses realm roles).
>
>>
>> This used to work perfectly in beta 3, but I seem unable to make this work in
>> 1.0(.1) final.
>>
>> Could this be because I am using 1.0-core instead of 1.0.1-core
>>
>> Please help, as this has stopped all work on the product, and I am completely
>> stuck. Whats the best way to go about debugging this?
>>
>> Conrad
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
<https://lists.jboss.org/mailman/listinfo/keycloak-user>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
7:28 a.m.
How do you obtain the token? It seems you have two different ways to do this
1) login using KC forms with 'shift-server'
2) login using direct grant with 'shift-ios'
Is this correct? If so both 'shift-server' and 'shift-ios' has to have a
scope on the 'user' realm role. With 'shift-ios' as you're not using
any of our adapters you don't need to install the client json for that anywhere. You
obviously do need the json config for 'shift-server' (or use the WildFly subsystem
to configure through standalone.xml).
If you have the bearer token available you can check the contents of it with:
System.out.println(new org.keycloak.jose.jws.JWSInput(token).readContentAsString());
It would be helpful if you could send that to me.
----- Original Message -----
From: "Conrad Winchester" <conrad(a)mindless.com>
To: "Conrad Winchester" <conrad(a)mindless.com>
Cc: keycloak-user(a)lists.jboss.org
Sent: Monday, 22 September, 2014 12:17:43 PM
Subject: Re: [keycloak-user] 1.0.1 Problems & Questions
I have now also tried using application roles, but unfortunately that did not
change the behaviour at all.
Am I supposed to install the client JSON file anywhere?
Conrad
On 22 Sep 2014, at 09:29, Conrad Winchester < conrad(a)mindless.com > wrote
Thanks for this very informative answer.
I will stick with the application being confidential as you have explained
that this is more correct.
However, WRT roles.
I have a realm role defined as ‘user’
The client Has this role as an ‘Effective role’ in the admin screens. Full
scope allowed is off, and there are no application roles assigned (nor are
they available)
I have the following in my web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name> shift </web-resource-name>
<url-pattern> /* </url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name> user </role-name>
</auth-constraint>
</security-constraint>
and
<login-config>
<auth-method> KEYCLOAK </auth-method>
<realm-name> shift </realm-name>
</login-config>
<security-role>
<role-name> user </role-name>
</security-role>
Is this correct? Have I missed something.
BTW Thanks for the help and thanks for Keycloak - It really is awesome!
Conrad
On 22 Sep 2014, at 09:05, Stian Thorgersen < stian(a)redhat.com > wrote:
----- Original Message -----
From: "Conrad Winchester" < conrad(a)mindless.com >
To: keycloak-user(a)lists.jboss.org
Sent: Monday, 22 September, 2014 8:45:11 AM
Subject: [keycloak-user] 1.0.1 Problems & Questions
Hi all,
I have just upgrade from 1.0-beta 3 to 1.0.1 final and am running into some
serious issues.
First a question: when will keycloak-core 1.0.1 be available from maven
central? I am having to use 1.0-final in my war - is that compatible with
1.0.1 keycloak war - which is running on my server.
Should have been there by now (it should be synced within 24h of a release),
I've contacted the guys in charge to figure out what's going on. In the mean
time you could add JBoss Nexus (
https://developer.jboss.org/wiki/MavenRepository ) and get it from there.
I upgraded by doing a complete wipe of the keycloak database, and
reinstalling 1.0.1 over my wildly configuration. I am able to use the
keycloak admin screens flawlessly.
Now onto my problem.
In 1.0.3-beta I used to have a access type bearer-only application which used
the rest api to register and login users to keycloak.
After upgrading I have found that even if I set the application to be
bearer-only, keycloak still throws an invalid redirect uri error whenever I
try to use the rest end points (surely this should not happen with a
bearer-only application). In order to fix this I have moved the application
over to access type confidential (it is sitting on the same server as
keycloak) - are there any pointers to the correct config for this in 1.0.1?
Basically my application is the backend to a mobile app that is using
keycloak for access control - at the moment I am not allowed to use the
keycloak login/register screens so must proxy it through the server. I am
now able to register users using this configuration, but would prefer to go
back to bearer-only
Bearer-only applications should not be able to register or login users at
all, they should only be able to authenticate using bearer tokens.
I also have a Direct Grant Only client which I use for the mobile application
itself. I am able to get an access token by using the
TOKEN_SERVICE_DIRECT_GRANT_PATH via the proxy server but when I try to
access a resource with that bearer token set in the header I am still
getting an unauthorised response.
My applications keycloak.json looks like this
{
"realm" : "shift" ,
"realm-public-key" : “ **" ,
"auth-server-url" : " http://.../auth " ,
"ssl-required" : "none" ,
"resource" : "shift-server" ,
"credentials" : {
"secret" : “ **"
}
}
and my client JSON looks like this (although this is not put anywhere in my
application war)
{
"realm": "shift",
"realm-public-key": “***",
"auth-server-url": " http://.../auth ",
"ssl-required": "none",
"resource": "shift-ios",
"public-client": true
}
I can login in with a correct username and password setting the client id to
‘shift-ios’. However when I try to access a protected resource like this
GET /shift/feed HTTP/1.1
Host: www…..com
Connection: keep-alive
Accept: */*
User-Agent: shift-ios-client/1.0 CFNetwork/711.0.6 Darwin/14.0.0
Accept-Language: en-us
Authorization: Bearer
eyJhbGciOiJSUzI1NiJ9.eyJuYW………...5lXDBvPGu3bI7msV6Xh34g2PG1E2-d0GchWLFb4kGWofDbexDgIJoP1eeSHnKmahAHHbcl_LZkI3ayKYCgF-o3vfk0yh4T-zptEdK1EHFDndz4SkJlrPsyawueekf1mJD-drilFlL55nLIfFqjpaNdQDr5R3lAjUb0
Accept-Encoding: gzip, deflate
where the Bearer header is the access token I get from logging in, then I get
a 403 unauthorised response.
From a 403 it should mean that the application has successfully authenticated
the user, but it doesn't have the correct roles.
Have you checked that the application you used to obtain the login has the
required scope, that the user has the required role mappings, and that your
bearer-only application is configured to use the correct roles (it can use
either the roles associated with the resource or the realm,
'use-resource-role-mappings' configures this and it defaults to false, which
mean it uses realm roles).
This used to work perfectly in beta 3, but I seem unable to make this work in
1.0(.1) final.
Could this be because I am using 1.0-core instead of 1.0.1-core
Please help, as this has stopped all work on the product, and I am completely
stuck. Whats the best way to go about debugging this?
Conrad
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
8:32 a.m.
Hi Stian
I am loggin in using the direct grant rest end point with client id as shift-ios
The token I get back looks like this
2014-09-22 14:25:34,795 INFO [com.shift.service.oauth.KeycloakAuthAdapter] (default
task-1) Logged in with access token
{"jti":"c78a0ec1-54fe-40c4-a2c7-d8e58129bf22","exp":1411392634,"nbf":0,"iat":1411392334,"iss":"shift","aud":"shift","sub":"9cff1b29-fb58-4b53-b4ce-ac79eb355843","azp":"shift-ios","session_state":"cc0559f9-78a2-4951-afac-48bee4fa9a23","allowed-origins":[],"resource_access":{}}
Does that help?
Thanks
Conrad
On 22 Sep 2014, at 13:28, Stian Thorgersen <stian(a)redhat.com>
wrote:
How do you obtain the token? It seems you have two different ways to do this
1) login using KC forms with 'shift-server'
2) login using direct grant with 'shift-ios'
Is this correct? If so both 'shift-server' and 'shift-ios' has to have a
scope on the 'user' realm role. With 'shift-ios' as you're not using
any of our adapters you don't need to install the client json for that anywhere. You
obviously do need the json config for 'shift-server' (or use the WildFly subsystem
to configure through standalone.xml).
If you have the bearer token available you can check the contents of it with:
System.out.println(new org.keycloak.jose.jws.JWSInput(token).readContentAsString());
It would be helpful if you could send that to me.
----- Original Message -----
> From: "Conrad Winchester" <conrad(a)mindless.com>
> To: "Conrad Winchester" <conrad(a)mindless.com>
> Cc: keycloak-user(a)lists.jboss.org
> Sent: Monday, 22 September, 2014 12:17:43 PM
> Subject: Re: [keycloak-user] 1.0.1 Problems & Questions
>
> I have now also tried using application roles, but unfortunately that did not
> change the behaviour at all.
>
> Am I supposed to install the client JSON file anywhere?
>
> Conrad
>
>
>
>
>
> On 22 Sep 2014, at 09:29, Conrad Winchester < conrad(a)mindless.com > wrote
>
> Thanks for this very informative answer.
>
> I will stick with the application being confidential as you have explained
> that this is more correct.
>
> However, WRT roles.
>
> I have a realm role defined as ‘user’
> The client Has this role as an ‘Effective role’ in the admin screens. Full
> scope allowed is off, and there are no application roles assigned (nor are
> they available)
> I have the following in my web.xml
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name> shift </web-resource-name>
> <url-pattern> /* </url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name> user </role-name>
> </auth-constraint>
> </security-constraint>
> and
>
> <login-config>
> <auth-method> KEYCLOAK </auth-method>
> <realm-name> shift </realm-name>
> </login-config>
>
> <security-role>
> <role-name> user </role-name>
> </security-role>
> Is this correct? Have I missed something.
>
> BTW Thanks for the help and thanks for Keycloak - It really is awesome!
>
> Conrad
>
>
>
>
> On 22 Sep 2014, at 09:05, Stian Thorgersen < stian(a)redhat.com > wrote:
>
>
>
> ----- Original Message -----
>
>
> From: "Conrad Winchester" < conrad(a)mindless.com >
> To: keycloak-user(a)lists.jboss.org
> Sent: Monday, 22 September, 2014 8:45:11 AM
> Subject: [keycloak-user] 1.0.1 Problems & Questions
>
> Hi all,
>
> I have just upgrade from 1.0-beta 3 to 1.0.1 final and am running into some
> serious issues.
>
> First a question: when will keycloak-core 1.0.1 be available from maven
> central? I am having to use 1.0-final in my war - is that compatible with
> 1.0.1 keycloak war - which is running on my server.
>
> Should have been there by now (it should be synced within 24h of a release),
> I've contacted the guys in charge to figure out what's going on. In the mean
> time you could add JBoss Nexus (
> https://developer.jboss.org/wiki/MavenRepository ) and get it from there.
>
>
>
>
> I upgraded by doing a complete wipe of the keycloak database, and
> reinstalling 1.0.1 over my wildly configuration. I am able to use the
> keycloak admin screens flawlessly.
>
> Now onto my problem.
>
> In 1.0.3-beta I used to have a access type bearer-only application which used
> the rest api to register and login users to keycloak.
>
> After upgrading I have found that even if I set the application to be
> bearer-only, keycloak still throws an invalid redirect uri error whenever I
> try to use the rest end points (surely this should not happen with a
> bearer-only application). In order to fix this I have moved the application
> over to access type confidential (it is sitting on the same server as
> keycloak) - are there any pointers to the correct config for this in 1.0.1?
> Basically my application is the backend to a mobile app that is using
> keycloak for access control - at the moment I am not allowed to use the
> keycloak login/register screens so must proxy it through the server. I am
> now able to register users using this configuration, but would prefer to go
> back to bearer-only
>
> Bearer-only applications should not be able to register or login users at
> all, they should only be able to authenticate using bearer tokens.
>
>
>
>
> I also have a Direct Grant Only client which I use for the mobile application
> itself. I am able to get an access token by using the
> TOKEN_SERVICE_DIRECT_GRANT_PATH via the proxy server but when I try to
> access a resource with that bearer token set in the header I am still
> getting an unauthorised response.
>
> My applications keycloak.json looks like this
>
> {
> "realm" : "shift" ,
> "realm-public-key" : “ **" ,
> "auth-server-url" : " http://.../auth " ,
> "ssl-required" : "none" ,
> "resource" : "shift-server" ,
> "credentials" : {
> "secret" : “ **"
> }
> }
>
> and my client JSON looks like this (although this is not put anywhere in my
> application war)
>
> {
> "realm": "shift",
> "realm-public-key": “***",
> "auth-server-url": " http://.../auth ",
> "ssl-required": "none",
> "resource": "shift-ios",
> "public-client": true
> }
>
> I can login in with a correct username and password setting the client id to
> ‘shift-ios’. However when I try to access a protected resource like this
>
> GET /shift/feed HTTP/1.1
> Host: www…..com
> Connection: keep-alive
> Accept: */*
> User-Agent: shift-ios-client/1.0 CFNetwork/711.0.6 Darwin/14.0.0
> Accept-Language: en-us
> Authorization: Bearer
>
eyJhbGciOiJSUzI1NiJ9.eyJuYW………...5lXDBvPGu3bI7msV6Xh34g2PG1E2-d0GchWLFb4kGWofDbexDgIJoP1eeSHnKmahAHHbcl_LZkI3ayKYCgF-o3vfk0yh4T-zptEdK1EHFDndz4SkJlrPsyawueekf1mJD-drilFlL55nLIfFqjpaNdQDr5R3lAjUb0
> Accept-Encoding: gzip, deflate
>
> where the Bearer header is the access token I get from logging in, then I get
> a 403 unauthorised response.
>
> From a 403 it should mean that the application has successfully authenticated
> the user, but it doesn't have the correct roles.
>
> Have you checked that the application you used to obtain the login has the
> required scope, that the user has the required role mappings, and that your
> bearer-only application is configured to use the correct roles (it can use
> either the roles associated with the resource or the realm,
> 'use-resource-role-mappings' configures this and it defaults to false, which
> mean it uses realm roles).
>
>
>
>
> This used to work perfectly in beta 3, but I seem unable to make this work in
> 1.0(.1) final.
>
> Could this be because I am using 1.0-core instead of 1.0.1-core
>
> Please help, as this has stopped all work on the product, and I am completely
> stuck. Whats the best way to go about debugging this?
>
> Conrad
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
12:22 p.m.
Hi Stian
I have made some progress. I have discovered that if I assign the role ‘user’ to my user
account in the ‘role mappings’ section of the keycloak admin screens for that user then
access to the resources work. The access token looks like this
2014-09-22 18:13:01,057 INFO [com.shift.service.oauth.KeycloakAuthAdapter] (default
task-15) Logged in with access token {"name":"shift_141 not
provided","email":"conrad@chiwestern.com","jti":"997e2a5c-389a-4b57-8a2b-669fcda587f7","exp":1411406281,"nbf":0,"iat":1411405981,"iss":"shift","aud":"shift","sub":"9cff1b29-fb58-4b53-b4ce-ac79eb355843","azp":"shift-ios","given_name":"shift_141","family_name":"not
provided","preferred_username":"conrad@chiwestern.com","email_verified":false,"session_state":"e0ae4a87-18d1-446a-805e-ad9334a1d648","allowed-origins":[],"realm_access":{"roles":["user"]},"resource_access":{}}
I get roles:[user]
Isn’t this supposed to happen automatically if the role ‘user’ is the default realm role?
Thanks
Conrad
On 22 Sep 2014, at 14:32, Conrad Winchester
<conrad(a)mindless.com> wrote:
Hi Stian
I am loggin in using the direct grant rest end point with client id as shift-ios
The token I get back looks like this
2014-09-22 14:25:34,795 INFO [com.shift.service.oauth.KeycloakAuthAdapter] (default
task-1) Logged in with access token
{"jti":"c78a0ec1-54fe-40c4-a2c7-d8e58129bf22","exp":1411392634,"nbf":0,"iat":1411392334,"iss":"shift","aud":"shift","sub":"9cff1b29-fb58-4b53-b4ce-ac79eb355843","azp":"shift-ios","session_state":"cc0559f9-78a2-4951-afac-48bee4fa9a23","allowed-origins":[],"resource_access":{}}
Does that help?
Thanks
Conrad
> On 22 Sep 2014, at 13:28, Stian Thorgersen <stian(a)redhat.com
<mailto:stian@redhat.com>> wrote:
>
> How do you obtain the token? It seems you have two different ways to do this
>
> 1) login using KC forms with 'shift-server'
> 2) login using direct grant with 'shift-ios'
>
> Is this correct? If so both 'shift-server' and 'shift-ios' has to
have a scope on the 'user' realm role. With 'shift-ios' as you're not
using any of our adapters you don't need to install the client json for that anywhere.
You obviously do need the json config for 'shift-server' (or use the WildFly
subsystem to configure through standalone.xml).
>
> If you have the bearer token available you can check the contents of it with:
>
> System.out.println(new
org.keycloak.jose.jws.JWSInput(token).readContentAsString());
>
> It would be helpful if you could send that to me.
>
> ----- Original Message -----
>> From: "Conrad Winchester" <conrad(a)mindless.com
<mailto:conrad@mindless.com>>
>> To: "Conrad Winchester" <conrad(a)mindless.com
<mailto:conrad@mindless.com>>
>> Cc: keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
>> Sent: Monday, 22 September, 2014 12:17:43 PM
>> Subject: Re: [keycloak-user] 1.0.1 Problems & Questions
>>
>> I have now also tried using application roles, but unfortunately that did not
>> change the behaviour at all.
>>
>> Am I supposed to install the client JSON file anywhere?
>>
>> Conrad
>>
>>
>>
>>
>>
>> On 22 Sep 2014, at 09:29, Conrad Winchester < conrad(a)mindless.com
<mailto:conrad@mindless.com> > wrote
>>
>> Thanks for this very informative answer.
>>
>> I will stick with the application being confidential as you have explained
>> that this is more correct.
>>
>> However, WRT roles.
>>
>> I have a realm role defined as ‘user’
>> The client Has this role as an ‘Effective role’ in the admin screens. Full
>> scope allowed is off, and there are no application roles assigned (nor are
>> they available)
>> I have the following in my web.xml
>>
>> <security-constraint>
>> <web-resource-collection>
>> <web-resource-name> shift </web-resource-name>
>> <url-pattern> /* </url-pattern>
>> </web-resource-collection>
>> <auth-constraint>
>> <role-name> user </role-name>
>> </auth-constraint>
>> </security-constraint>
>> and
>>
>> <login-config>
>> <auth-method> KEYCLOAK </auth-method>
>> <realm-name> shift </realm-name>
>> </login-config>
>>
>> <security-role>
>> <role-name> user </role-name>
>> </security-role>
>> Is this correct? Have I missed something.
>>
>> BTW Thanks for the help and thanks for Keycloak - It really is awesome!
>>
>> Conrad
>>
>>
>>
>>
>> On 22 Sep 2014, at 09:05, Stian Thorgersen < stian(a)redhat.com
<mailto:stian@redhat.com> > wrote:
>>
>>
>>
>> ----- Original Message -----
>>
>>
>> From: "Conrad Winchester" < conrad(a)mindless.com
<mailto:conrad@mindless.com> >
>> To: keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
>> Sent: Monday, 22 September, 2014 8:45:11 AM
>> Subject: [keycloak-user] 1.0.1 Problems & Questions
>>
>> Hi all,
>>
>> I have just upgrade from 1.0-beta 3 to 1.0.1 final and am running into some
>> serious issues.
>>
>> First a question: when will keycloak-core 1.0.1 be available from maven
>> central? I am having to use 1.0-final in my war - is that compatible with
>> 1.0.1 keycloak war - which is running on my server.
>>
>> Should have been there by now (it should be synced within 24h of a release),
>> I've contacted the guys in charge to figure out what's going on. In the
mean
>> time you could add JBoss Nexus (
>> https://developer.jboss.org/wiki/MavenRepository
<https://developer.jboss.org/wiki/MavenRepository> ) and get it from there.
>>
>>
>>
>>
>> I upgraded by doing a complete wipe of the keycloak database, and
>> reinstalling 1.0.1 over my wildly configuration. I am able to use the
>> keycloak admin screens flawlessly.
>>
>> Now onto my problem.
>>
>> In 1.0.3-beta I used to have a access type bearer-only application which used
>> the rest api to register and login users to keycloak.
>>
>> After upgrading I have found that even if I set the application to be
>> bearer-only, keycloak still throws an invalid redirect uri error whenever I
>> try to use the rest end points (surely this should not happen with a
>> bearer-only application). In order to fix this I have moved the application
>> over to access type confidential (it is sitting on the same server as
>> keycloak) - are there any pointers to the correct config for this in 1.0.1?
>> Basically my application is the backend to a mobile app that is using
>> keycloak for access control - at the moment I am not allowed to use the
>> keycloak login/register screens so must proxy it through the server. I am
>> now able to register users using this configuration, but would prefer to go
>> back to bearer-only
>>
>> Bearer-only applications should not be able to register or login users at
>> all, they should only be able to authenticate using bearer tokens.
>>
>>
>>
>>
>> I also have a Direct Grant Only client which I use for the mobile application
>> itself. I am able to get an access token by using the
>> TOKEN_SERVICE_DIRECT_GRANT_PATH via the proxy server but when I try to
>> access a resource with that bearer token set in the header I am still
>> getting an unauthorised response.
>>
>> My applications keycloak.json looks like this
>>
>> {
>> "realm" : "shift" ,
>> "realm-public-key" : “ **" ,
>> "auth-server-url" : " http://.../auth <http://.../auth>
" ,
>> "ssl-required" : "none" ,
>> "resource" : "shift-server" ,
>> "credentials" : {
>> "secret" : “ **"
>> }
>> }
>>
>> and my client JSON looks like this (although this is not put anywhere in my
>> application war)
>>
>> {
>> "realm": "shift",
>> "realm-public-key": “***",
>> "auth-server-url": " http://.../auth <http://.../auth>
",
>> "ssl-required": "none",
>> "resource": "shift-ios",
>> "public-client": true
>> }
>>
>> I can login in with a correct username and password setting the client id to
>> ‘shift-ios’. However when I try to access a protected resource like this
>>
>> GET /shift/feed HTTP/1.1
>> Host: www…..com
>> Connection: keep-alive
>> Accept: */*
>> User-Agent: shift-ios-client/1.0 CFNetwork/711.0.6 Darwin/14.0.0
>> Accept-Language: en-us
>> Authorization: Bearer
>>
eyJhbGciOiJSUzI1NiJ9.eyJuYW………...5lXDBvPGu3bI7msV6Xh34g2PG1E2-d0GchWLFb4kGWofDbexDgIJoP1eeSHnKmahAHHbcl_LZkI3ayKYCgF-o3vfk0yh4T-zptEdK1EHFDndz4SkJlrPsyawueekf1mJD-drilFlL55nLIfFqjpaNdQDr5R3lAjUb0
>> Accept-Encoding: gzip, deflate
>>
>> where the Bearer header is the access token I get from logging in, then I get
>> a 403 unauthorised response.
>>
>> From a 403 it should mean that the application has successfully authenticated
>> the user, but it doesn't have the correct roles.
>>
>> Have you checked that the application you used to obtain the login has the
>> required scope, that the user has the required role mappings, and that your
>> bearer-only application is configured to use the correct roles (it can use
>> either the roles associated with the resource or the realm,
>> 'use-resource-role-mappings' configures this and it defaults to false,
which
>> mean it uses realm roles).
>>
>>
>>
>>
>> This used to work perfectly in beta 3, but I seem unable to make this work in
>> 1.0(.1) final.
>>
>> Could this be because I am using 1.0-core instead of 1.0.1-core
>>
>> Please help, as this has stopped all work on the product, and I am completely
>> stuck. Whats the best way to go about debugging this?
>>
>> Conrad
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
12:58 p.m.
Hi Stian
I worked it out.
I had removed and re-added the user role from the realm after my user had registered. It
seems that the default role is assigned at registration time and so if you change it that
change is not reflected in existing users.
A surprising behaviour, but I can sort of see why that is.
Conrad
On 22 Sep 2014, at 18:22, Conrad Winchester
<conrad(a)mindless.com> wrote:
Hi Stian
I have made some progress. I have discovered that if I assign the role ‘user’ to my user
account in the ‘role mappings’ section of the keycloak admin screens for that user then
access to the resources work. The access token looks like this
2014-09-22 18:13:01,057 INFO [com.shift.service.oauth.KeycloakAuthAdapter] (default
task-15) Logged in with access token {"name":"shift_141 not
provided","email":"conrad@chiwestern.com
<mailto:conrad@chiwestern.com>","jti":"997e2a5c-389a-4b57-8a2b-669fcda587f7","exp":1411406281,"nbf":0,"iat":1411405981,"iss":"shift","aud":"shift","sub":"9cff1b29-fb58-4b53-b4ce-ac79eb355843","azp":"shift-ios","given_name":"shift_141","family_name":"not
provided","preferred_username":"conrad@chiwestern.com
<mailto:conrad@chiwestern.com>","email_verified":false,"session_state":"e0ae4a87-18d1-446a-805e-ad9334a1d648","allowed-origins":[],"realm_access":{"roles":["user"]},"resource_access":{}}
I get roles:[user]
Isn’t this supposed to happen automatically if the role ‘user’ is the default realm
role?
Thanks
Conrad
> On 22 Sep 2014, at 14:32, Conrad Winchester <conrad(a)mindless.com
<mailto:conrad@mindless.com>> wrote:
>
> Hi Stian
>
> I am loggin in using the direct grant rest end point with client id as shift-ios
>
> The token I get back looks like this
>
> 2014-09-22 14:25:34,795 INFO [com.shift.service.oauth.KeycloakAuthAdapter] (default
task-1) Logged in with access token
{"jti":"c78a0ec1-54fe-40c4-a2c7-d8e58129bf22","exp":1411392634,"nbf":0,"iat":1411392334,"iss":"shift","aud":"shift","sub":"9cff1b29-fb58-4b53-b4ce-ac79eb355843","azp":"shift-ios","session_state":"cc0559f9-78a2-4951-afac-48bee4fa9a23","allowed-origins":[],"resource_access":{}}
>
> Does that help?
>
> Thanks
>
> Conrad
>
>> On 22 Sep 2014, at 13:28, Stian Thorgersen <stian(a)redhat.com
<mailto:stian@redhat.com>> wrote:
>>
>> How do you obtain the token? It seems you have two different ways to do this
>>
>> 1) login using KC forms with 'shift-server'
>> 2) login using direct grant with 'shift-ios'
>>
>> Is this correct? If so both 'shift-server' and 'shift-ios' has to
have a scope on the 'user' realm role. With 'shift-ios' as you're not
using any of our adapters you don't need to install the client json for that anywhere.
You obviously do need the json config for 'shift-server' (or use the WildFly
subsystem to configure through standalone.xml).
>>
>> If you have the bearer token available you can check the contents of it with:
>>
>> System.out.println(new
org.keycloak.jose.jws.JWSInput(token).readContentAsString());
>>
>> It would be helpful if you could send that to me.
>>
>> ----- Original Message -----
>>> From: "Conrad Winchester" <conrad(a)mindless.com
<mailto:conrad@mindless.com>>
>>> To: "Conrad Winchester" <conrad(a)mindless.com
<mailto:conrad@mindless.com>>
>>> Cc: keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>
>>> Sent: Monday, 22 September, 2014 12:17:43 PM
>>> Subject: Re: [keycloak-user] 1.0.1 Problems & Questions
>>>
>>> I have now also tried using application roles, but unfortunately that did
not
>>> change the behaviour at all.
>>>
>>> Am I supposed to install the client JSON file anywhere?
>>>
>>> Conrad
>>>
>>>
>>>
>>>
>>>
>>> On 22 Sep 2014, at 09:29, Conrad Winchester < conrad(a)mindless.com
<mailto:conrad@mindless.com> > wrote
>>>
>>> Thanks for this very informative answer.
>>>
>>> I will stick with the application being confidential as you have explained
>>> that this is more correct.
>>>
>>> However, WRT roles.
>>>
>>> I have a realm role defined as ‘user’
>>> The client Has this role as an ‘Effective role’ in the admin screens. Full
>>> scope allowed is off, and there are no application roles assigned (nor are
>>> they available)
>>> I have the following in my web.xml
>>>
>>> <security-constraint>
>>> <web-resource-collection>
>>> <web-resource-name> shift </web-resource-name>
>>> <url-pattern> /* </url-pattern>
>>> </web-resource-collection>
>>> <auth-constraint>
>>> <role-name> user </role-name>
>>> </auth-constraint>
>>> </security-constraint>
>>> and
>>>
>>> <login-config>
>>> <auth-method> KEYCLOAK </auth-method>
>>> <realm-name> shift </realm-name>
>>> </login-config>
>>>
>>> <security-role>
>>> <role-name> user </role-name>
>>> </security-role>
>>> Is this correct? Have I missed something.
>>>
>>> BTW Thanks for the help and thanks for Keycloak - It really is awesome!
>>>
>>> Conrad
>>>
>>>
>>>
>>>
>>> On 22 Sep 2014, at 09:05, Stian Thorgersen < stian(a)redhat.com
<mailto:stian@redhat.com> > wrote:
>>>
>>>
>>>
>>> ----- Original Message -----
>>>
>>>
>>> From: "Conrad Winchester" < conrad(a)mindless.com
<mailto:conrad@mindless.com> >
>>> To: keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>
>>> Sent: Monday, 22 September, 2014 8:45:11 AM
>>> Subject: [keycloak-user] 1.0.1 Problems & Questions
>>>
>>> Hi all,
>>>
>>> I have just upgrade from 1.0-beta 3 to 1.0.1 final and am running into some
>>> serious issues.
>>>
>>> First a question: when will keycloak-core 1.0.1 be available from maven
>>> central? I am having to use 1.0-final in my war - is that compatible with
>>> 1.0.1 keycloak war - which is running on my server.
>>>
>>> Should have been there by now (it should be synced within 24h of a release),
>>> I've contacted the guys in charge to figure out what's going on. In
the mean
>>> time you could add JBoss Nexus (
>>> https://developer.jboss.org/wiki/MavenRepository
<https://developer.jboss.org/wiki/MavenRepository> ) and get it from there.
>>>
>>>
>>>
>>>
>>> I upgraded by doing a complete wipe of the keycloak database, and
>>> reinstalling 1.0.1 over my wildly configuration. I am able to use the
>>> keycloak admin screens flawlessly.
>>>
>>> Now onto my problem.
>>>
>>> In 1.0.3-beta I used to have a access type bearer-only application which
used
>>> the rest api to register and login users to keycloak.
>>>
>>> After upgrading I have found that even if I set the application to be
>>> bearer-only, keycloak still throws an invalid redirect uri error whenever I
>>> try to use the rest end points (surely this should not happen with a
>>> bearer-only application). In order to fix this I have moved the application
>>> over to access type confidential (it is sitting on the same server as
>>> keycloak) - are there any pointers to the correct config for this in 1.0.1?
>>> Basically my application is the backend to a mobile app that is using
>>> keycloak for access control - at the moment I am not allowed to use the
>>> keycloak login/register screens so must proxy it through the server. I am
>>> now able to register users using this configuration, but would prefer to go
>>> back to bearer-only
>>>
>>> Bearer-only applications should not be able to register or login users at
>>> all, they should only be able to authenticate using bearer tokens.
>>>
>>>
>>>
>>>
>>> I also have a Direct Grant Only client which I use for the mobile
application
>>> itself. I am able to get an access token by using the
>>> TOKEN_SERVICE_DIRECT_GRANT_PATH via the proxy server but when I try to
>>> access a resource with that bearer token set in the header I am still
>>> getting an unauthorised response.
>>>
>>> My applications keycloak.json looks like this
>>>
>>> {
>>> "realm" : "shift" ,
>>> "realm-public-key" : “ **" ,
>>> "auth-server-url" : " http://.../auth <http://.../auth>
" ,
>>> "ssl-required" : "none" ,
>>> "resource" : "shift-server" ,
>>> "credentials" : {
>>> "secret" : “ **"
>>> }
>>> }
>>>
>>> and my client JSON looks like this (although this is not put anywhere in my
>>> application war)
>>>
>>> {
>>> "realm": "shift",
>>> "realm-public-key": “***",
>>> "auth-server-url": " http://.../auth <http://.../auth>
",
>>> "ssl-required": "none",
>>> "resource": "shift-ios",
>>> "public-client": true
>>> }
>>>
>>> I can login in with a correct username and password setting the client id to
>>> ‘shift-ios’. However when I try to access a protected resource like this
>>>
>>> GET /shift/feed HTTP/1.1
>>> Host: www…..com
>>> Connection: keep-alive
>>> Accept: */*
>>> User-Agent: shift-ios-client/1.0 CFNetwork/711.0.6 Darwin/14.0.0
>>> Accept-Language: en-us
>>> Authorization: Bearer
>>>
eyJhbGciOiJSUzI1NiJ9.eyJuYW………...5lXDBvPGu3bI7msV6Xh34g2PG1E2-d0GchWLFb4kGWofDbexDgIJoP1eeSHnKmahAHHbcl_LZkI3ayKYCgF-o3vfk0yh4T-zptEdK1EHFDndz4SkJlrPsyawueekf1mJD-drilFlL55nLIfFqjpaNdQDr5R3lAjUb0
>>> Accept-Encoding: gzip, deflate
>>>
>>> where the Bearer header is the access token I get from logging in, then I
get
>>> a 403 unauthorised response.
>>>
>>> From a 403 it should mean that the application has successfully
authenticated
>>> the user, but it doesn't have the correct roles.
>>>
>>> Have you checked that the application you used to obtain the login has the
>>> required scope, that the user has the required role mappings, and that your
>>> bearer-only application is configured to use the correct roles (it can use
>>> either the roles associated with the resource or the realm,
>>> 'use-resource-role-mappings' configures this and it defaults to
false, which
>>> mean it uses realm roles).
>>>
>>>
>>>
>>>
>>> This used to work perfectly in beta 3, but I seem unable to make this work
in
>>> 1.0(.1) final.
>>>
>>> Could this be because I am using 1.0-core instead of 1.0.1-core
>>>
>>> Please help, as this has stopped all work on the product, and I am
completely
>>> stuck. Whats the best way to go about debugging this?
>>>
>>> Conrad
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
<https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
1:56 a.m.
----- Original Message -----
From: "Conrad Winchester" <conrad(a)mindless.com>
To: keycloak-user(a)lists.jboss.org
Sent: Monday, 22 September, 2014 7:58:08 PM
Subject: Re: [keycloak-user] 1.0.1 Problems & Questions
Hi Stian
I worked it out.
I had removed and re-added the user role from the realm after my user had
registered. It seems that the default role is assigned at registration time
and so if you change it that change is not reflected in existing users.
A surprising behaviour, but I can sort of see why that is.
We did it this way as you can do the alternative using a composite role. Basically if you
create a composite role 'default-roles' and assign this as a default role, then
you can add/remove roles to this and existing users will be updated.
Conrad
On 22 Sep 2014, at 18:22, Conrad Winchester < conrad(a)mindless.com > wrote:
Hi Stian
I have made some progress. I have discovered that if I assign the role ‘user’
to my user account in the ‘role mappings’ section of the keycloak admin
screens for that user then access to the resources work. The access token
looks like this
2014-09-22 18:13:01,057 INFO [com.shift.service.oauth.KeycloakAuthAdapter]
(default task-15) Logged in with access token {"name":"shift_141 not
provided","email":" conrad(a)chiwestern.com
","jti":"997e2a5c-389a-4b57-8a2b-669fcda587f7","exp":1411406281,"nbf":0,"iat":1411405981,"iss":"shift","aud":"shift","sub":"9cff1b29-fb58-4b53-b4ce-ac79eb355843","azp":"shift-ios","given_name":"shift_141","family_name":"not
provided","preferred_username":" conrad(a)chiwestern.com
","email_verified":false,"session_state":"e0ae4a87-18d1-446a-805e-ad9334a1d648","allowed-origins":[],"realm_access":{"roles":["user"]},"resource_access":{}}
I get roles:[user]
Isn’t this supposed to happen automatically if the role ‘user’ is the default
realm role?
Thanks
Conrad
On 22 Sep 2014, at 14:32, Conrad Winchester < conrad(a)mindless.com > wrote:
Hi Stian
I am loggin in using the direct grant rest end point with client id as
shift-ios
The token I get back looks like this
2014-09-22 14:25:34,795 INFO [com.shift.service.oauth.KeycloakAuthAdapter]
(default task-1) Logged in with access token
{"jti":"c78a0ec1-54fe-40c4-a2c7-d8e58129bf22","exp":1411392634,"nbf":0,"iat":1411392334,"iss":"shift","aud":"shift","sub":"9cff1b29-fb58-4b53-b4ce-ac79eb355843","azp":"shift-ios","session_state":"cc0559f9-78a2-4951-afac-48bee4fa9a23","allowed-origins":[],"resource_access":{}}
Does that help?
Thanks
Conrad
On 22 Sep 2014, at 13:28, Stian Thorgersen < stian(a)redhat.com > wrote:
How do you obtain the token? It seems you have two different ways to do this
1) login using KC forms with 'shift-server'
2) login using direct grant with 'shift-ios'
Is this correct? If so both 'shift-server' and 'shift-ios' has to have a
scope on the 'user' realm role. With 'shift-ios' as you're not using
any of
our adapters you don't need to install the client json for that anywhere.
You obviously do need the json config for 'shift-server' (or use the WildFly
subsystem to configure through standalone.xml).
If you have the bearer token available you can check the contents of it with:
System.out.println(new
org.keycloak.jose.jws.JWSInput(token).readContentAsString());
It would be helpful if you could send that to me.
----- Original Message -----
From: "Conrad Winchester" < conrad(a)mindless.com >
To: "Conrad Winchester" < conrad(a)mindless.com >
Cc: keycloak-user(a)lists.jboss.org
Sent: Monday, 22 September, 2014 12:17:43 PM
Subject: Re: [keycloak-user] 1.0.1 Problems & Questions
I have now also tried using application roles, but unfortunately that did not
change the behaviour at all.
Am I supposed to install the client JSON file anywhere?
Conrad
On 22 Sep 2014, at 09:29, Conrad Winchester < conrad(a)mindless.com > wrote
Thanks for this very informative answer.
I will stick with the application being confidential as you have explained
that this is more correct.
However, WRT roles.
I have a realm role defined as ‘user’
The client Has this role as an ‘Effective role’ in the admin screens. Full
scope allowed is off, and there are no application roles assigned (nor are
they available)
I have the following in my web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name> shift </web-resource-name>
<url-pattern> /* </url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name> user </role-name>
</auth-constraint>
</security-constraint>
and
<login-config>
<auth-method> KEYCLOAK </auth-method>
<realm-name> shift </realm-name>
</login-config>
<security-role>
<role-name> user </role-name>
</security-role>
Is this correct? Have I missed something.
BTW Thanks for the help and thanks for Keycloak - It really is awesome!
Conrad
On 22 Sep 2014, at 09:05, Stian Thorgersen < stian(a)redhat.com > wrote:
----- Original Message -----
From: "Conrad Winchester" < conrad(a)mindless.com >
To: keycloak-user(a)lists.jboss.org
Sent: Monday, 22 September, 2014 8:45:11 AM
Subject: [keycloak-user] 1.0.1 Problems & Questions
Hi all,
I have just upgrade from 1.0-beta 3 to 1.0.1 final and am running into some
serious issues.
First a question: when will keycloak-core 1.0.1 be available from maven
central? I am having to use 1.0-final in my war - is that compatible with
1.0.1 keycloak war - which is running on my server.
Should have been there by now (it should be synced within 24h of a release),
I've contacted the guys in charge to figure out what's going on. In the mean
time you could add JBoss Nexus (
https://developer.jboss.org/wiki/MavenRepository ) and get it from there.
I upgraded by doing a complete wipe of the keycloak database, and
reinstalling 1.0.1 over my wildly configuration. I am able to use the
keycloak admin screens flawlessly.
Now onto my problem.
In 1.0.3-beta I used to have a access type bearer-only application which used
the rest api to register and login users to keycloak.
After upgrading I have found that even if I set the application to be
bearer-only, keycloak still throws an invalid redirect uri error whenever I
try to use the rest end points (surely this should not happen with a
bearer-only application). In order to fix this I have moved the application
over to access type confidential (it is sitting on the same server as
keycloak) - are there any pointers to the correct config for this in 1.0.1?
Basically my application is the backend to a mobile app that is using
keycloak for access control - at the moment I am not allowed to use the
keycloak login/register screens so must proxy it through the server. I am
now able to register users using this configuration, but would prefer to go
back to bearer-only
Bearer-only applications should not be able to register or login users at
all, they should only be able to authenticate using bearer tokens.
I also have a Direct Grant Only client which I use for the mobile application
itself. I am able to get an access token by using the
TOKEN_SERVICE_DIRECT_GRANT_PATH via the proxy server but when I try to
access a resource with that bearer token set in the header I am still
getting an unauthorised response.
My applications keycloak.json looks like this
{
"realm" : "shift" ,
"realm-public-key" : “ **" ,
"auth-server-url" : " http://.../auth " ,
"ssl-required" : "none" ,
"resource" : "shift-server" ,
"credentials" : {
"secret" : “ **"
}
}
and my client JSON looks like this (although this is not put anywhere in my
application war)
{
"realm": "shift",
"realm-public-key": “***",
"auth-server-url": " http://.../auth ",
"ssl-required": "none",
"resource": "shift-ios",
"public-client": true
}
I can login in with a correct username and password setting the client id to
‘shift-ios’. However when I try to access a protected resource like this
GET /shift/feed HTTP/1.1
Host: www…..com
Connection: keep-alive
Accept: */*
User-Agent: shift-ios-client/1.0 CFNetwork/711.0.6 Darwin/14.0.0
Accept-Language: en-us
Authorization: Bearer
eyJhbGciOiJSUzI1NiJ9.eyJuYW………...5lXDBvPGu3bI7msV6Xh34g2PG1E2-d0GchWLFb4kGWofDbexDgIJoP1eeSHnKmahAHHbcl_LZkI3ayKYCgF-o3vfk0yh4T-zptEdK1EHFDndz4SkJlrPsyawueekf1mJD-drilFlL55nLIfFqjpaNdQDr5R3lAjUb0
Accept-Encoding: gzip, deflate
where the Bearer header is the access token I get from logging in, then I get
a 403 unauthorised response.
From a 403 it should mean that the application has successfully authenticated
the user, but it doesn't have the correct roles.
Have you checked that the application you used to obtain the login has the
required scope, that the user has the required role mappings, and that your
bearer-only application is configured to use the correct roles (it can use
either the roles associated with the resource or the realm,
'use-resource-role-mappings' configures this and it defaults to false, which
mean it uses realm roles).
This used to work perfectly in beta 3, but I seem unable to make this work in
1.0(.1) final.
Could this be because I am using 1.0-core instead of 1.0.1-core
Please help, as this has stopped all work on the product, and I am completely
stuck. Whats the best way to go about debugging this?
Conrad
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
4127
days inactive
4128
days old
8 comments
2 participants
participants (2)
-
Conrad Winchester -
Stian Thorgersen