[keycloak-user] Bearer Only Application access with token

Rodrigo Sasaki rodrigopsasaki at gmail.com
Tue Jul 29 16:56:41 EDT 2014 

I made sure of all that, I just recreated everything using realm roles just
for the sake of completeness, but I'm still getting a 403


On Tue, Jul 29, 2014 at 4:09 PM, Vivek Srivastav (vivsriva) <
vivsriva at cisco.com> wrote:

>  Make sure you have the following settings configured for your database
> service:
>
>
>
>
>
>  In the web.xml, make sure you have the security setup with the
> appropriate user role:
>  <?xml version="1.0" encoding="UTF-8"?>
> <web-app xmlns="http://java.sun.com/xml/ns/javaee"
>       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>       xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
>       version="3.0">
>
>  <module-name>database</module-name>
>      <security-constraint>
>         <web-resource-collection>
>             <url-pattern>/*</url-pattern>
>         </web-resource-collection>
> <!--        <user-data-constraint>
>             <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>         </user-data-constraint>  -->
>         <auth-constraint>
>             <role-name>user</role-name>
>         </auth-constraint>
>     </security-constraint>
>
>      <login-config>
>         <auth-method>KEYCLOAK</auth-method>
>         <realm-name>demo</realm-name>
>     </login-config>
>
>      <security-role>
>         <role-name>user</role-name>
>     </security-role>
> </web-app>
>
>
>
>   From: Rodrigo Sasaki <rodrigopsasaki at gmail.com>
> Date: Tuesday, July 29, 2014 at 12:51 PM
> To: Bill Burke <bburke at redhat.com>
> Cc: "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
> Subject: Re: [keycloak-user] Bearer Only Application access with token
>
>   It is defined under the application itself, so I it's under the scope.
> This should be working right?
>
>
> On Tue, Jul 29, 2014 at 11:59 AM, Bill Burke <bburke at redhat.com> wrote:
>
>> What kind of role is it?  Is the new role defined under the
>> "database-service" application?  If not, then you must add this role to
>> the "database-service"'s scope in the admin console.
>>
>> On 7/29/2014 10:51 AM, Rodrigo Sasaki wrote:
>> > Hi,
>> >
>> > I'm trying to secure a bearer-only application with keycloak, to access
>> > it with access tokens, but I think I'm missing something.
>> >
>> > I tried it with the database-service of the unconfigured demo.
>> >
>> > 1. I created the user role in the application.
>> > 2. I assigned that role to my user
>> > 3. I copied the contents of the installation json to
>>  > *webapp/META-INF/keycloak.json*
>> >
>> > {
>> >      "realm": "demo",
>> >      "realm-public-key":
>> >
>> "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCwRayjzh7W+EfPaeSdyXWLyXof7c3fwD7vb0AEtG+ogLHtMkYiTdX9y/JXOmXwWDzGhx7NM3Q6vkCG0F3lZqOVsSlYH56c5+Ev4QmSGK/+6e+WcZMcgmscoz1OoXKom4+pzqMey42hqdwwMhkvCq/jxJSmUGnZJQuqEKVH00NZ1wIDAQAB",
>> >      "bearer-only": true,
>> >      "ssl-not-required": true,
>> >      "resource": "database-service",
>> >      "use-resource-role-mappings": true
>> > }
>> >
>>  > 4. Set the auth-method to *KEYCLOAK* on web.xml
>> > 5. Started the server deploying the *database-service*
>> > 6. Generated a token using *security-admin-console* client_id and my
>> user
>> > 7. Submitted a GET request to /localhost:8080/database/customers/
>> >
>> > After these steps I get a 403 error, saying that I'm not authorized to
>> > access the resource, wasn't this supposed to work?
>> >
>> > --
>> > Rodrigo Sasaki
>> >
>> >
>>  > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
>  --
> Rodrigo Sasaki
>



-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140729/29319bc4/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: F53847FE-4703-4AB3-9C06-790DC32B5A75.png
Type: image/png
Size: 15533 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20140729/29319bc4/attachment-0002.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 7FB161C8-9169-498E-BE38-35D4735A9146.png
Type: image/png
Size: 26058 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20140729/29319bc4/attachment-0003.png

More information about the keycloak-user mailing list