[keycloak-user] 1.0.1 Problems & Questions

Mon Sep 22 02:45:11 EDT 2014

Hi all,

I have just upgrade from 1.0-beta 3 to 1.0.1 final and am running into some serious issues.

First a question: when will keycloak-core 1.0.1 be available from maven central? I am having to use 1.0-final in my war - is that compatible with 1.0.1 keycloak war - which is running on my server.

I upgraded by doing a complete wipe of the keycloak database, and reinstalling 1.0.1 over my wildly configuration. I am able to use the keycloak admin screens flawlessly. 

Now onto my problem.

In 1.0.3-beta I used to have a access type bearer-only application which used the rest api to register and login users to keycloak.

After upgrading I have found that even if I set the application to be bearer-only, keycloak still throws an invalid redirect uri error whenever I try to use the rest end points (surely this should not happen with a bearer-only application). In order to fix this I have moved the application over to access type confidential (it is sitting on the same server as keycloak) - are there any pointers to the correct config for this in 1.0.1? Basically my application is the backend to a mobile app that is using keycloak for access control - at the moment I am not allowed to use the keycloak login/register screens so must proxy it through the server. I am now able to register users using this configuration, but would prefer to go back to bearer-only

I also have a Direct Grant Only client which I use for the mobile application itself. I am able to get an access token by using the TOKEN_SERVICE_DIRECT_GRANT_PATH via the proxy server but when I try to access a resource with that bearer token set in the header I am still getting an unauthorised response.

My applications keycloak.json looks like this

{
    "realm": "shift",
    "realm-public-key": “**",
    "auth-server-url": "http://.../auth",
    "ssl-required": "none",
    "resource": "shift-server",
    "credentials": {
        "secret": “**"
    }
}

and my client JSON looks like this (although this is not put anywhere in my application war)

{
  "realm": "shift",
  "realm-public-key": “***",
  "auth-server-url": "http://.../auth",
  "ssl-required": "none",
  "resource": "shift-ios",
  "public-client": true
}

I can login in with a correct username and password setting the client id to ‘shift-ios’. However when I try to access a protected resource like this

GET /shift/feed HTTP/1.1
Host: www…..com
Connection: keep-alive
Accept: */*
User-Agent: shift-ios-client/1.0 CFNetwork/711.0.6 Darwin/14.0.0
Accept-Language: en-us
Authorization: Bearer eyJhbGciOiJSUzI1NiJ9.eyJuYW………...5lXDBvPGu3bI7msV6Xh34g2PG1E2-d0GchWLFb4kGWofDbexDgIJoP1eeSHnKmahAHHbcl_LZkI3ayKYCgF-o3vfk0yh4T-zptEdK1EHFDndz4SkJlrPsyawueekf1mJD-drilFlL55nLIfFqjpaNdQDr5R3lAjUb0
Accept-Encoding: gzip, deflate

where the Bearer header is the access token I get from logging in, then I get a 403 unauthorised response.

This used to work perfectly in beta 3, but I seem unable to make this work in 1.0(.1) final.

Could this be because I am using 1.0-core instead of 1.0.1-core

Please help, as this has stopped all work on the product, and I am completely stuck. Whats the best way to go about debugging this?

Conrad

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140922/e460ebc4/attachment-0001.html 