Hi,
I'm using Keycloak 3.4.0.Final and Wildfy 10.1.0 with the right adapter. I
have the following realm:
{
"id": "fd12b07c-8fdf-4e94-9688-cf80387a06c2",
"realm": "demo-realm",
"enabled": true,
"sslRequired": "external",
...
"roles": {
"realm": [
...
{
"id": "c67ee573-05fa-4253-a1e0-5c09b3e9e162",
"name": "customer-manager-role",
"scopeParamRequired": false,
"composite": false,
"clientRole": false,
"containerId": "fd12b07c-8fdf-4e94-9688-cf80387a06c2"
},
......
],
"client": {
"curl": [],
...
}
},
"groups": [],
"defaultRoles": [
"offline_access",
"uma_authorization"
],
"requiredCredentials": [
"password"
],
...
"clients": [
{
"id": "9d43b813-3232-49c3-ba5d-f097e6a56618",
"clientId": "curl",
"surrogateAuthRequired": false,
"enabled": true,
"clientAuthenticatorType": "client-secret",
"secret": "**********",
"redirectUris": [
" <
http://localhost> http://localhost"
],
"webOrigins": [
" <
http://localhost> http://localhost"
],
"notBefore": 0,
"bearerOnly": false,
"consentRequired": false,
"standardFlowEnabled": true,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": true,
"serviceAccountsEnabled": false,
"publicClient": true,
"frontchannelLogout": false,
"attributes": {},
"fullScopeAllowed": true,
"nodeReRegistrationTimeout": -1,
"protocolMappers": [
...
],
...
},
{
"id": "fa8edc2a-51c1-4b04-8939-8a0838d21130",
"clientId": "customer-manager-client",
"surrogateAuthRequired": false,
"enabled": true,
"clientAuthenticatorType": "client-secret",
"secret": "**********",
"redirectUris": [
" <
http://localhost:8080/customer-management/*>
http://localhost:8080/customer-management/*"
],
"webOrigins": [
" <
http://localhost:8080> http://localhost:8080"
],
"notBefore": 0,
"bearerOnly": true,
"consentRequired": false,
"standardFlowEnabled": true,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": false,
"serviceAccountsEnabled": false,
"publicClient": false,
"frontchannelLogout": false,
"attributes": {},
"fullScopeAllowed": true,
"nodeReRegistrationTimeout": -1,
"protocolMappers": [
...
]
......
},
...
]
}
This file has been obtained by the export function in the console. Strange
enough, the users aren't exported and ther is no button "Export users" as
it
exists "Export groups and roles" and "export clients".
On the Wildfly side, I have a war containing a couple of JAX-RS services,
which web.xml is as follows:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.1" xmlns="
<
http://xmlns.jcp.org/xml/ns/javaee>
http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="
<
http://www.w3.org/2001/XMLSchema-instance>
http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="
<
http://xmlns.jcp.org/xml/ns/javaee
http:/xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd>
http://xmlns.jcp.org/xml/ns/javaee
http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd">
<module-name>customer-management-rest</module-name>
<security-constraint>
<web-resource-collection>
<web-resource-name>customers</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>customer-manager-role</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>demo-realm</realm-name>
</login-config>
<security-role>
<role-name>customer-manager-role</role-name>
</security-role>
</web-app>
The idea is that the services be accessed via the customer-manager-role
which is assigned to the user customer-manager-user. After deployment,
using the following curl request:
curl
<
http://customer-manager-user:toto@localhost:8080/customer-management/servic
es/customers>
http://customer-manager-user:toto@localhost:8080/customer-management/service
s/customers
replies:
<html><head><title>Error</title></head><body>Forbidden</body></html>
In the previous curl request, customer-manager-user is the user name created
on te demo-realm realm. In its Role Mapings list i have
"customer-manager-role" which is a role created on the same realm. And
"toto" here is the password assigned to the user customer-manager-user. So I
would expect that the basic authentication works but obviously it doesn't.
The same happens if Im trying bearerOnly by including the token obtained
via the curl client. What could be wrong here ? Could that have anything
to do with the fact that there is no any trace of my customer-manager-user
in the realm ?
Many thanks in advance.
Kind regards,
Nicolas