[keycloak-user] Bearer Only Application access with token
Bill Burke
bburke at redhat.com
Wed Aug 6 10:06:25 EDT 2014
How do you obtain the token? Access tokens are created specifically for
the application/oauth client that intiated the token protocol. So the
access token will be stuffed with only the role mappings for that
application/oauth client. A bearer-only application doesn't need a
scope configured because it never initiates a login.
I changed things in beta 4 to hopefully mitigate the confusion around
"scope". Applications have a full scope enabled by default now.
On 8/6/2014 9:58 AM, Rodrigo Sasaki wrote:
> Is there any news on this? I tried it on beta-4 on wildfly and I still
> get the same response.
>
>
> On Tue, Jul 29, 2014 at 5:56 PM, Rodrigo Sasaki
> <rodrigopsasaki at gmail.com <mailto:rodrigopsasaki at gmail.com>> wrote:
>
> I made sure of all that, I just recreated everything using realm
> roles just for the sake of completeness, but I'm still getting a 403
>
>
> On Tue, Jul 29, 2014 at 4:09 PM, Vivek Srivastav (vivsriva)
> <vivsriva at cisco.com <mailto:vivsriva at cisco.com>> wrote:
>
> Make sure you have the following settings configured for your
> database service:
>
>
>
>
>
> In the web.xml, make sure you have the security setup with the
> appropriate user role:
> <?xml version="1.0" encoding="UTF-8"?>
> <web-app xmlns="http://java.sun.com/xml/ns/javaee"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
> version="3.0">
>
> <module-name>database</module-name>
> <security-constraint>
> <web-resource-collection>
> <url-pattern>/*</url-pattern>
> </web-resource-collection>
> <!-- <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint> -->
> <auth-constraint>
> <role-name>user</role-name>
> </auth-constraint>
> </security-constraint>
>
> <login-config>
> <auth-method>KEYCLOAK</auth-method>
> <realm-name>demo</realm-name>
> </login-config>
>
> <security-role>
> <role-name>user</role-name>
> </security-role>
> </web-app>
>
>
>
> From: Rodrigo Sasaki <rodrigopsasaki at gmail.com
> <mailto:rodrigopsasaki at gmail.com>>
> Date: Tuesday, July 29, 2014 at 12:51 PM
> To: Bill Burke <bburke at redhat.com <mailto:bburke at redhat.com>>
> Cc: "keycloak-user at lists.jboss.org
> <mailto:keycloak-user at lists.jboss.org>"
> <keycloak-user at lists.jboss.org
> <mailto:keycloak-user at lists.jboss.org>>
> Subject: Re: [keycloak-user] Bearer Only Application access with
> token
>
> It is defined under the application itself, so I it's under the
> scope. This should be working right?
>
>
> On Tue, Jul 29, 2014 at 11:59 AM, Bill Burke <bburke at redhat.com
> <mailto:bburke at redhat.com>> wrote:
>
> What kind of role is it? Is the new role defined under the
> "database-service" application? If not, then you must add
> this role to
> the "database-service"'s scope in the admin console.
>
> On 7/29/2014 10:51 AM, Rodrigo Sasaki wrote:
> > Hi,
> >
> > I'm trying to secure a bearer-only application with keycloak, to access
> > it with access tokens, but I think I'm missing something.
> >
> > I tried it with the database-service of the unconfigured demo.
> >
> > 1. I created the user role in the application.
> > 2. I assigned that role to my user
> > 3. I copied the contents of the installation json to
> > *webapp/META-INF/keycloak.json*
> >
> > {
> > "realm": "demo",
> > "realm-public-key":
> > "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCwRayjzh7W+EfPaeSdyXWLyXof7c3fwD7vb0AEtG+ogLHtMkYiTdX9y/JXOmXwWDzGhx7NM3Q6vkCG0F3lZqOVsSlYH56c5+Ev4QmSGK/+6e+WcZMcgmscoz1OoXKom4+pzqMey42hqdwwMhkvCq/jxJSmUGnZJQuqEKVH00NZ1wIDAQAB",
> > "bearer-only": true,
> > "ssl-not-required": true,
> > "resource": "database-service",
> > "use-resource-role-mappings": true
> > }
> >
> > 4. Set the auth-method to *KEYCLOAK* on web.xml
> > 5. Started the server deploying the *database-service*
> > 6. Generated a token using *security-admin-console* client_id and my user
> > 7. Submitted a GET request to /localhost:8080/database/customers/
> >
> > After these steps I get a 403 error, saying that I'm not authorized to
> > access the resource, wasn't this supposed to work?
> >
> > --
> > Rodrigo Sasaki
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> >keycloak-user at lists.jboss.org
> <mailto:keycloak-user at lists.jboss.org>
> >https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> --
> Rodrigo Sasaki
>
>
>
>
> --
> Rodrigo Sasaki
>
>
>
>
> --
> Rodrigo Sasaki
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-user
mailing list