[keycloak-user] Is it possible to use a non Keycloak client to call a Keycloak secured Rest services?

Christina Lau christinalau28 at icloud.com
Tue Jul 15 16:05:18 EDT 2014 

The code is the same as the AdminClient you pointed me to. However, I just try something based on what you said. In the admin-client oauth client, I went to Scope Mappings and added user role (which is the security role for the rest services). Now it works. Does this sound right to you? Seems magical...

On Jul 15, 2014, at 3:48 PM, Bill Burke <bburke at redhat.com> wrote:

> Please elaborate on your code to obtain a token.  Your client (not user) may not have the scope you need and the token may not be getting set with the desired role mappings.
> 
> On 7/15/2014 3:15 PM, Christina Lau wrote:
>> Hi Bill, further to last comment, i.e. although I can get the token,
>> when I use it to call the same Rest service, I am getting 403 instead.
>> 
>> I don’t know if this helps or not, but I have also noticed that the
>> console produced different output:
>> 
>> *Using non-keycloak client (Did not work - get 403)*
>> 
>> 15:05:28,228 INFO  [org.keycloak.services.resources.TokenService]
>> (default task-1) no authorization header
>> 15:05:28,345 INFO  [org.keycloak.audit] (default task-1) event=LOGIN,
>> realmId=ab9527ff-1dbe-4ce1-934c-ee2e1057d8b7, clientId=admin-client,
>> userId=58cfb6e9-9ff8-45a8-98bb-3a26b341b783, ipAddress=127.0.0.1,
>> username=roger at mailinator.com <mailto:username=roger at mailinator.com>,
>> response_type=token, auth_method=oauth_credentials,
>> refresh_token_id=3730424f-a718-4be8-a9fc-a090e5932564,
>> token_id=dd1bfeaa-54b1-4824-a6fe-d14eb1ae6f97
>> 15:05:28,547 INFO  [org.keycloak.adapters.RequestAuthenticator] (default
>> task-2) --> authenticate()
>> 15:05:28,548 INFO  [org.keycloak.adapters.RequestAuthenticator] (default
>> task-2) try bearer
>> 15:05:28,566 INFO
>>  [org.keycloak.adapters.RefreshableKeycloakSecurityContext] (default
>> task-2) checking whether to refresh.
>> 15:05:28,566 INFO
>>  [org.keycloak.adapters.undertow.KeycloakUndertowAccount] (default
>> task-2) use realm role mappings
>> 15:05:28,571 INFO
>>  [org.keycloak.adapters.wildfly.WildflyRequestAuthenticator] (default
>> task-2) propagate security context to wildfly
>> 15:05:28,571 INFO  [org.keycloak.adapters.RequestAuthenticator] (default
>> task-2) Bearer AUTHENTICATED
>> 
>> 
>> *Using keycloak app (similar to customer-cli sample) Work*
>> 
>> 15:06:30,254 INFO  [org.keycloak.services.resources.TokenService]
>> (default task-1) createLogin() now...
>> 15:06:39,965 INFO  [org.keycloak.audit] (default task-2) event=LOGIN,
>> realmId=ab9527ff-1dbe-4ce1-934c-ee2e1057d8b7, clientId=hellokeycloak,
>> userId=58cfb6e9-9ff8-45a8-98bb-3a26b341b783, ipAddress=127.0.0.1,
>> username=roger at mailinator.com <mailto:username=roger at mailinator.com>,
>> response_type=code, redirect_uri=http://localhost:59999,
>> auth_method=form, code_id=bd10d4cc-9f99-42df-b984-b92093f5a6af1405451199946
>> 15:06:39,966 INFO
>>  [org.keycloak.services.managers.AuthenticationManager] (default
>> task-2) createLoginCookie
>> 15:06:39,966 INFO
>>  [org.keycloak.services.managers.AuthenticationManager] (default
>> task-2) createIdentityToken
>> 15:06:40,092 INFO  [org.keycloak.services.resources.TokenService]
>> (default task-3) no authorization header
>> 15:06:40,119 INFO  [org.keycloak.audit] (default task-3)
>> event=CODE_TO_TOKEN, realmId=ab9527ff-1dbe-4ce1-934c-ee2e1057d8b7,
>> clientId=hellokeycloak, userId=58cfb6e9-9ff8-45a8-98bb-3a26b341b783,
>> ipAddress=127.0.0.1,
>> refresh_token_id=476b2f86-3df4-4cf6-8d51-55aa70264346,
>> code_id=bd10d4cc-9f99-42df-b984-b92093f5a6af1405451199946,
>> token_id=be0358ab-2c28-4bdc-a95c-681b63095217
>> 15:06:46,567 INFO  [org.keycloak.adapters.RequestAuthenticator] (default
>> task-4) --> authenticate()
>> 15:06:46,568 INFO  [org.keycloak.adapters.RequestAuthenticator] (default
>> task-4) try bearer
>> 15:06:46,584 INFO
>>  [org.keycloak.adapters.RefreshableKeycloakSecurityContext] (default
>> task-4) checking whether to refresh.
>> 15:06:46,584 INFO
>>  [org.keycloak.adapters.undertow.KeycloakUndertowAccount] (default
>> task-4) use realm role mappings
>> 15:06:46,589 INFO
>>  [org.keycloak.adapters.wildfly.WildflyRequestAuthenticator] (default
>> task-4) propagate security context to wildfly
>> 15:06:46,590 INFO  [org.keycloak.adapters.RequestAuthenticator] (default
>> task-4) Bearer AUTHENTICATED
>> 
> 
> -- 
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140715/2b3219ff/attachment.html

More information about the keycloak-user mailing list