9:51 a.m.
Hi,
I'm trying to secure a bearer-only application with keycloak, to access it
with access tokens, but I think I'm missing something.
I tried it with the database-service of the unconfigured demo.
1. I created the user role in the application.
2. I assigned that role to my user
3. I copied the contents of the installation json to
*webapp/META-INF/keycloak.json*
{
"realm": "demo",
"realm-public-key":
"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCwRayjzh7W+EfPaeSdyXWLyXof7c3fwD7vb0AEtG+ogLHtMkYiTdX9y/JXOmXwWDzGhx7NM3Q6vkCG0F3lZqOVsSlYH56c5+Ev4QmSGK/+6e+WcZMcgmscoz1OoXKom4+pzqMey42hqdwwMhkvCq/jxJSmUGnZJQuqEKVH00NZ1wIDAQAB",
"bearer-only": true,
"ssl-not-required": true,
"resource": "database-service",
"use-resource-role-mappings": true
}
4. Set the auth-method to *KEYCLOAK* on web.xml
5. Started the server deploying the *database-service*
6. Generated a token using *security-admin-console* client_id and my user
7. Submitted a GET request to *localhost:8080/database/customers*
After these steps I get a 403 error, saying that I'm not authorized to
access the resource, wasn't this supposed to work?
--
Rodrigo Sasaki
9:59 a.m.
What kind of role is it? Is the new role defined under the
"database-service" application? If not, then you must add this role to
the "database-service"'s scope in the admin console.
On 7/29/2014 10:51 AM, Rodrigo Sasaki wrote:
Hi,
I'm trying to secure a bearer-only application with keycloak, to access
it with access tokens, but I think I'm missing something.
I tried it with the database-service of the unconfigured demo.
1. I created the user role in the application.
2. I assigned that role to my user
3. I copied the contents of the installation json to
*webapp/META-INF/keycloak.json*
{
"realm": "demo",
"realm-public-key":
"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCwRayjzh7W+EfPaeSdyXWLyXof7c3fwD7vb0AEtG+ogLHtMkYiTdX9y/JXOmXwWDzGhx7NM3Q6vkCG0F3lZqOVsSlYH56c5+Ev4QmSGK/+6e+WcZMcgmscoz1OoXKom4+pzqMey42hqdwwMhkvCq/jxJSmUGnZJQuqEKVH00NZ1wIDAQAB",
"bearer-only": true,
"ssl-not-required": true,
"resource": "database-service",
"use-resource-role-mappings": true
}
4. Set the auth-method to *KEYCLOAK* on web.xml
5. Started the server deploying the *database-service*
6. Generated a token using *security-admin-console* client_id and my user
7. Submitted a GET request to /localhost:8080/database/customers/
After these steps I get a 403 error, saying that I'm not authorized to
access the resource, wasn't this supposed to work?
--
Rodrigo Sasaki
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
11:51 a.m.
It is defined under the application itself, so I it's under the scope. This
should be working right?
On Tue, Jul 29, 2014 at 11:59 AM, Bill Burke <bburke(a)redhat.com> wrote:
What kind of role is it? Is the new role defined under the
"database-service" application? If not, then you must add this role to
the "database-service"'s scope in the admin console.
On 7/29/2014 10:51 AM, Rodrigo Sasaki wrote:
> Hi,
>
> I'm trying to secure a bearer-only application with keycloak, to access
> it with access tokens, but I think I'm missing something.
>
> I tried it with the database-service of the unconfigured demo.
>
> 1. I created the user role in the application.
> 2. I assigned that role to my user
> 3. I copied the contents of the installation json to
> *webapp/META-INF/keycloak.json*
>
> {
> "realm": "demo",
> "realm-public-key":
>
"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCwRayjzh7W+EfPaeSdyXWLyXof7c3fwD7vb0AEtG+ogLHtMkYiTdX9y/JXOmXwWDzGhx7NM3Q6vkCG0F3lZqOVsSlYH56c5+Ev4QmSGK/+6e+WcZMcgmscoz1OoXKom4+pzqMey42hqdwwMhkvCq/jxJSmUGnZJQuqEKVH00NZ1wIDAQAB",
> "bearer-only": true,
> "ssl-not-required": true,
> "resource": "database-service",
> "use-resource-role-mappings": true
> }
>
> 4. Set the auth-method to *KEYCLOAK* on web.xml
> 5. Started the server deploying the *database-service*
> 6. Generated a token using *security-admin-console* client_id and my user
> 7. Submitted a GET request to /localhost:8080/database/customers/
>
> After these steps I get a 403 error, saying that I'm not authorized to
> access the resource, wasn't this supposed to work?
>
> --
> Rodrigo Sasaki
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Rodrigo Sasaki
2:09 p.m.
Make sure you have the following settings configured for your database service:
[cid:7FB161C8-9169-498E-BE38-35D4735A9146]
[cid:F53847FE-4703-4AB3-9C06-790DC32B5A75]
In the web.xml, make sure you have the security setup with the appropriate user role:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<module-name>database</module-name>
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<!-- <user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint> -->
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>demo</realm-name>
</login-config>
<security-role>
<role-name>user</role-name>
</security-role>
</web-app>
From: Rodrigo Sasaki
<rodrigopsasaki@gmail.com<mailto:rodrigopsasaki@gmail.com>>
Date: Tuesday, July 29, 2014 at 12:51 PM
To: Bill Burke <bburke@redhat.com<mailto:bburke@redhat.com>>
Cc: "keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>"
<keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>>
Subject: Re: [keycloak-user] Bearer Only Application access with token
It is defined under the application itself, so I it's under the scope. This should be
working right?
On Tue, Jul 29, 2014 at 11:59 AM, Bill Burke
<bburke@redhat.com<mailto:bburke@redhat.com>> wrote:
What kind of role is it? Is the new role defined under the
"database-service" application? If not, then you must add this role to
the "database-service"'s scope in the admin console.
On 7/29/2014 10:51 AM, Rodrigo Sasaki wrote:
Hi,
I'm trying to secure a bearer-only application with keycloak, to access
it with access tokens, but I think I'm missing something.
I tried it with the database-service of the unconfigured demo.
1. I created the user role in the application.
2. I assigned that role to my user
3. I copied the contents of the installation json to
*webapp/META-INF/keycloak.json*
{
"realm": "demo",
"realm-public-key":
"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCwRayjzh7W+EfPaeSdyXWLyXof7c3fwD7vb0AEtG+ogLHtMkYiTdX9y/JXOmXwWDzGhx7NM3Q6vkCG0F3lZqOVsSlYH56c5+Ev4QmSGK/+6e+WcZMcgmscoz1OoXKom4+pzqMey42hqdwwMhkvCq/jxJSmUGnZJQuqEKVH00NZ1wIDAQAB",
"bearer-only": true,
"ssl-not-required": true,
"resource": "database-service",
"use-resource-role-mappings": true
}
4. Set the auth-method to *KEYCLOAK* on web.xml
5. Started the server deploying the *database-service*
6. Generated a token using *security-admin-console* client_id and my user
7. Submitted a GET request to /localhost:8080/database/customers/
After these steps I get a 403 error, saying that I'm not authorized to
access the resource, wasn't this supposed to work?
--
Rodrigo Sasaki
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Rodrigo Sasaki
3:56 p.m.
I made sure of all that, I just recreated everything using realm roles just
for the sake of completeness, but I'm still getting a 403
On Tue, Jul 29, 2014 at 4:09 PM, Vivek Srivastav (vivsriva) <
vivsriva(a)cisco.com> wrote:
Make sure you have the following settings configured for your
database
service:
In the web.xml, make sure you have the security setup with the
appropriate user role:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<module-name>database</module-name>
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<!-- <user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint> -->
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>demo</realm-name>
</login-config>
<security-role>
<role-name>user</role-name>
</security-role>
</web-app>
From: Rodrigo Sasaki <rodrigopsasaki(a)gmail.com>
Date: Tuesday, July 29, 2014 at 12:51 PM
To: Bill Burke <bburke(a)redhat.com>
Cc: "keycloak-user(a)lists.jboss.org" <keycloak-user(a)lists.jboss.org>
Subject: Re: [keycloak-user] Bearer Only Application access with token
It is defined under the application itself, so I it's under the scope.
This should be working right?
On Tue, Jul 29, 2014 at 11:59 AM, Bill Burke <bburke(a)redhat.com> wrote:
> What kind of role is it? Is the new role defined under the
> "database-service" application? If not, then you must add this role to
> the "database-service"'s scope in the admin console.
>
> On 7/29/2014 10:51 AM, Rodrigo Sasaki wrote:
> > Hi,
> >
> > I'm trying to secure a bearer-only application with keycloak, to access
> > it with access tokens, but I think I'm missing something.
> >
> > I tried it with the database-service of the unconfigured demo.
> >
> > 1. I created the user role in the application.
> > 2. I assigned that role to my user
> > 3. I copied the contents of the installation json to
> > *webapp/META-INF/keycloak.json*
> >
> > {
> > "realm": "demo",
> > "realm-public-key":
> >
>
"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCwRayjzh7W+EfPaeSdyXWLyXof7c3fwD7vb0AEtG+ogLHtMkYiTdX9y/JXOmXwWDzGhx7NM3Q6vkCG0F3lZqOVsSlYH56c5+Ev4QmSGK/+6e+WcZMcgmscoz1OoXKom4+pzqMey42hqdwwMhkvCq/jxJSmUGnZJQuqEKVH00NZ1wIDAQAB",
> > "bearer-only": true,
> > "ssl-not-required": true,
> > "resource": "database-service",
> > "use-resource-role-mappings": true
> > }
> >
> > 4. Set the auth-method to *KEYCLOAK* on web.xml
> > 5. Started the server deploying the *database-service*
> > 6. Generated a token using *security-admin-console* client_id and my
> user
> > 7. Submitted a GET request to /localhost:8080/database/customers/
> >
> > After these steps I get a 403 error, saying that I'm not authorized to
> > access the resource, wasn't this supposed to work?
> >
> > --
> > Rodrigo Sasaki
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Rodrigo Sasaki
--
Rodrigo Sasaki
8:58 a.m.
Is there any news on this? I tried it on beta-4 on wildfly and I still get
the same response.
On Tue, Jul 29, 2014 at 5:56 PM, Rodrigo Sasaki <rodrigopsasaki(a)gmail.com>
wrote:
I made sure of all that, I just recreated everything using realm
roles
just for the sake of completeness, but I'm still getting a 403
On Tue, Jul 29, 2014 at 4:09 PM, Vivek Srivastav (vivsriva) <
vivsriva(a)cisco.com> wrote:
> Make sure you have the following settings configured for your database
> service:
>
>
>
>
>
> In the web.xml, make sure you have the security setup with the
> appropriate user role:
> <?xml version="1.0" encoding="UTF-8"?>
> <web-app xmlns="http://java.sun.com/xml/ns/javaee"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
> version="3.0">
>
> <module-name>database</module-name>
> <security-constraint>
> <web-resource-collection>
> <url-pattern>/*</url-pattern>
> </web-resource-collection>
> <!-- <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint> -->
> <auth-constraint>
> <role-name>user</role-name>
> </auth-constraint>
> </security-constraint>
>
> <login-config>
> <auth-method>KEYCLOAK</auth-method>
> <realm-name>demo</realm-name>
> </login-config>
>
> <security-role>
> <role-name>user</role-name>
> </security-role>
> </web-app>
>
>
>
> From: Rodrigo Sasaki <rodrigopsasaki(a)gmail.com>
> Date: Tuesday, July 29, 2014 at 12:51 PM
> To: Bill Burke <bburke(a)redhat.com>
> Cc: "keycloak-user(a)lists.jboss.org" <keycloak-user(a)lists.jboss.org>
> Subject: Re: [keycloak-user] Bearer Only Application access with token
>
> It is defined under the application itself, so I it's under the scope.
> This should be working right?
>
>
> On Tue, Jul 29, 2014 at 11:59 AM, Bill Burke <bburke(a)redhat.com> wrote:
>
>> What kind of role is it? Is the new role defined under the
>> "database-service" application? If not, then you must add this role
to
>> the "database-service"'s scope in the admin console.
>>
>> On 7/29/2014 10:51 AM, Rodrigo Sasaki wrote:
>> > Hi,
>> >
>> > I'm trying to secure a bearer-only application with keycloak, to access
>> > it with access tokens, but I think I'm missing something.
>> >
>> > I tried it with the database-service of the unconfigured demo.
>> >
>> > 1. I created the user role in the application.
>> > 2. I assigned that role to my user
>> > 3. I copied the contents of the installation json to
>> > *webapp/META-INF/keycloak.json*
>> >
>> > {
>> > "realm": "demo",
>> > "realm-public-key":
>> >
>>
"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCwRayjzh7W+EfPaeSdyXWLyXof7c3fwD7vb0AEtG+ogLHtMkYiTdX9y/JXOmXwWDzGhx7NM3Q6vkCG0F3lZqOVsSlYH56c5+Ev4QmSGK/+6e+WcZMcgmscoz1OoXKom4+pzqMey42hqdwwMhkvCq/jxJSmUGnZJQuqEKVH00NZ1wIDAQAB",
>> > "bearer-only": true,
>> > "ssl-not-required": true,
>> > "resource": "database-service",
>> > "use-resource-role-mappings": true
>> > }
>> >
>> > 4. Set the auth-method to *KEYCLOAK* on web.xml
>> > 5. Started the server deploying the *database-service*
>> > 6. Generated a token using *security-admin-console* client_id and my
>> user
>> > 7. Submitted a GET request to /localhost:8080/database/customers/
>> >
>> > After these steps I get a 403 error, saying that I'm not authorized to
>> > access the resource, wasn't this supposed to work?
>> >
>> > --
>> > Rodrigo Sasaki
>> >
>> >
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user(a)lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
> --
> Rodrigo Sasaki
>
--
Rodrigo Sasaki
--
Rodrigo Sasaki
9:06 a.m.
How do you obtain the token? Access tokens are created specifically for
the application/oauth client that intiated the token protocol. So the
access token will be stuffed with only the role mappings for that
application/oauth client. A bearer-only application doesn't need a
scope configured because it never initiates a login.
I changed things in beta 4 to hopefully mitigate the confusion around
"scope". Applications have a full scope enabled by default now.
On 8/6/2014 9:58 AM, Rodrigo Sasaki wrote:
Is there any news on this? I tried it on beta-4 on wildfly and I
still
get the same response.
On Tue, Jul 29, 2014 at 5:56 PM, Rodrigo Sasaki
<rodrigopsasaki(a)gmail.com <mailto:rodrigopsasaki@gmail.com>> wrote:
I made sure of all that, I just recreated everything using realm
roles just for the sake of completeness, but I'm still getting a 403
On Tue, Jul 29, 2014 at 4:09 PM, Vivek Srivastav (vivsriva)
<vivsriva(a)cisco.com <mailto:vivsriva@cisco.com>> wrote:
Make sure you have the following settings configured for your
database service:
In the web.xml, make sure you have the security setup with the
appropriate user role:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<module-name>database</module-name>
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<!-- <user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint> -->
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>demo</realm-name>
</login-config>
<security-role>
<role-name>user</role-name>
</security-role>
</web-app>
From: Rodrigo Sasaki <rodrigopsasaki(a)gmail.com
<mailto:rodrigopsasaki@gmail.com>>
Date: Tuesday, July 29, 2014 at 12:51 PM
To: Bill Burke <bburke(a)redhat.com <mailto:bburke@redhat.com>>
Cc: "keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>"
<keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>>
Subject: Re: [keycloak-user] Bearer Only Application access with
token
It is defined under the application itself, so I it's under the
scope. This should be working right?
On Tue, Jul 29, 2014 at 11:59 AM, Bill Burke <bburke(a)redhat.com
<mailto:bburke@redhat.com>> wrote:
What kind of role is it? Is the new role defined under the
"database-service" application? If not, then you must add
this role to
the "database-service"'s scope in the admin console.
On 7/29/2014 10:51 AM, Rodrigo Sasaki wrote:
> Hi,
>
> I'm trying to secure a bearer-only application with keycloak, to
access
> it with access tokens, but I think I'm missing something.
>
> I tried it with the database-service of the unconfigured demo.
>
> 1. I created the user role in the application.
> 2. I assigned that role to my user
> 3. I copied the contents of the installation json to
> *webapp/META-INF/keycloak.json*
>
> {
> "realm": "demo",
> "realm-public-key":
>
"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCwRayjzh7W+EfPaeSdyXWLyXof7c3fwD7vb0AEtG+ogLHtMkYiTdX9y/JXOmXwWDzGhx7NM3Q6vkCG0F3lZqOVsSlYH56c5+Ev4QmSGK/+6e+WcZMcgmscoz1OoXKom4+pzqMey42hqdwwMhkvCq/jxJSmUGnZJQuqEKVH00NZ1wIDAQAB",
> "bearer-only": true,
> "ssl-not-required": true,
> "resource": "database-service",
> "use-resource-role-mappings": true
> }
>
> 4. Set the auth-method to *KEYCLOAK* on web.xml
> 5. Started the server deploying the *database-service*
> 6. Generated a token using *security-admin-console* client_id and my
user
> 7. Submitted a GET request to /localhost:8080/database/customers/
>
> After these steps I get a 403 error, saying that I'm not authorized
to
> access the resource, wasn't this supposed to work?
>
> --
> Rodrigo Sasaki
>
>
> _______________________________________________
> keycloak-user mailing list
>keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>
>https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Rodrigo Sasaki
--
Rodrigo Sasaki
--
Rodrigo Sasaki
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
3781
days inactive
3789
days old
6 comments
3 participants
participants (3)
-
Bill Burke -
Rodrigo Sasaki -
Vivek Srivastav (vivsriva)