[keycloak-user] [Authorization] Get user roles from token

Pavel Maslov pavel.masloff at gmail.com
Thu Dec 17 05:01:37 EST 2015


Hi Jonah,

You don't get these error if you remove the 2 code lines?
>
Exactly. However, once I include these 2 lines, I cannot deploy the war
file to the Wildfly server.

I have to point out that there are no errors during build/packaging.

Regards,
Pavel Maslov, MS

On Thu, Dec 17, 2015 at 10:56 AM, Johan Bos <johan.bos at c6.eu> wrote:

> You don't get these error if you remove the 2 code lines?
> When deploying your apps, it is not enough to add the keycloak core
> dependency to access the keycloak principal, you also need to add all
> possible dependency the keycloak lib is relying onto.
>
> Basically on latest version of keycloak, I added almost everything that
> comes in the adapter zip to my project/api dependency for runtime.
> No idea how it was dealt with in previous version. Only dealt with
> keycloak 1.6 and 1.7.
>
> Since you had to provide some lib to your server (mine was tomcat 7) to
> dealt with the keycloak implantation to secure my app, as soon as I needed
> to acces keycloak token from my app code, I was required to add the libs
> the adapter for tomcat 7 is providing.
>
> Regards,
>
> Johan Bos
>
> Le 17/12/2015 10:39, Pavel Maslov a écrit :
>
> Guys, I am repeating my question here. Any ideas on this?
>
> I added the *org.keycloak.KeycloakPrincipal* definition in order to get
>> the token:
>>
>>
>> KeycloakPrincipal kcPrincipal = (KeycloakPrincipal)
>> srvl.getUserPrincipal();
>> String token = kcPrincipal.getKeycloakSecurityContext().getTokenString();
>>
>> but cannot deploy the project to the Wildfly server:
>>
>> 10:23:31,250 INFO  [org.jboss.resteasy.spi.ResteasyDeployment] (MSC
>> service thread 1-2) Deploying javax.ws.rs.core.Application: class
>> si.liis.apitime.service.ApiTimeApplication
>> 10:23:31,282 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-2)
>> MSC000001: Failed to start service
>> jboss.undertow.deployment.default-server.default-host./apitime-rest:
>> org.jboss.msc.service.StartException in service
>> jboss.undertow.deployment.default-server.default-host./apitime-rest: Failed
>> to start service
>> at
>> org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1904)
>> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>> at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>> [rt.jar:1.7.0_85]
>> at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>> [rt.jar:1.7.0_85]
>> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_85]
>> Caused by: java.lang.NoClassDefFoundError:
>> com/google/zxing/WriterException
>> at java.lang.Class.getDeclaredMethods0(Native Method) [rt.jar:1.7.0_85]
>> at java.lang.Class.privateGetDeclaredMethods(Class.java:2625)
>> [rt.jar:1.7.0_85]
>> at java.lang.Class.privateGetPublicMethods(Class.java:2743)
>> [rt.jar:1.7.0_85]
>> at java.lang.Class.getMethods(Class.java:1480) [rt.jar:1.7.0_85]
>> at
>> org.jboss.resteasy.spi.metadata.ResourceBuilder.fromAnnotations(ResourceBuilder.java:747)
>> at
>> org.jboss.resteasy.spi.metadata.ResourceBuilder.rootResourceFromAnnotations(ResourceBuilder.java:700)
>> at
>> org.jboss.resteasy.plugins.server.resourcefactory.POJOResourceFactory.<init>(POJOResourceFactory.java:29)
>> at
>> org.jboss.resteasy.core.ResourceMethodRegistry.addPerRequestResource(ResourceMethodRegistry.java:75)
>> at
>> org.jboss.resteasy.spi.ResteasyDeployment.registration(ResteasyDeployment.java:400)
>> at
>> org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:241)
>> at
>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:112)
>> at
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
>> at
>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
>> at
>> org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:79)
>> at
>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
>> at
>> io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:220)
>> at
>> io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:125)
>> at
>> io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:508)
>> at
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:88)
>> at
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.start(UndertowDeploymentService.java:72)
>> at
>> org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
>> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>> at
>> org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
>> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>> ... 3 more
>>
>> 10:23:31,285 ERROR [org.jboss.as.controller.management-operation]
>> (management-handler-thread - 1) JBAS014613: Operation ("redeploy") failed -
>> address: ([("deployment" => "apitime-rest.war")]) - failure description:
>> {"JBAS014671: Failed services" =>
>> {"jboss.undertow.deployment.default-server.default-host./apitime-rest" =>
>> "org.jboss.msc.service.StartException in service
>> jboss.undertow.deployment.default-server.default-host./apitime-rest: Failed
>> to start service
>>     Caused by: java.lang.NoClassDefFoundError:
>> com/google/zxing/WriterException"}}
>> 10:23:31,285 ERROR [org.jboss.as.server] (management-handler-thread - 1)
>> JBAS015860: Redeploy of deployment "apitime-rest.war" was rolled back with
>> the following failure message:
>> {"JBAS014671: Failed services" =>
>> {"jboss.undertow.deployment.default-server.default-host./apitime-rest" =>
>> "org.jboss.msc.service.StartException in service
>> jboss.undertow.deployment.default-server.default-host./apitime-rest: Failed
>> to start service
>>     Caused by: java.lang.NoClassDefFoundError:
>> com/google/zxing/WriterException"}}
>>
>>
>>
>> I am using Wildfly 8.2.0 with Keycloak adapter 1.3.1.
>> Any solution?
>> Thanks.
>>
>>
> Regards,
> Pavel Maslov, MS
>
> On Wed, Dec 16, 2015 at 10:51 PM, Johan B. <johan.bos at c6.eu> wrote:
>
>> You answered it. I was not familiar with the whole setting list. My
>> question was: does something in the ui make the setting change or is it a
>> manual setup?
>> I think you are saying it is only manual and it is fine.
>> It would probably best for future version to have all these extra adapter
>> setting avail. From admin UI so people has the switch/checkbox or input
>> form to make direct application change to the json
>> Moreover since you have a download installation button and a json setting
>> viewer
>>
>> Le mercredi 16 décembre 2015, Johan Bos < <johan.bos at c6.eu>
>> johan.bos at c6.eu> a écrit :
>>
>>> oh when you said:
>>>
>>> use-resource-role-mappings
>>>
>>> it is only available through the keycloak.json
>>>
>>> Nothing from Keycloak Admin UI allows you to set the options, so have the installation file ready with everything ?
>>>
>>> Regards,
>>>
>>> Johan Bos
>>>
>>> Le 16/12/2015 16:33, Johan Bos a écrit :
>>>
>>> So it is one or the other.
>>> The switch is at realm level or per clients?
>>>
>>> As I tend to make realm role for securing the clients only and
>>> client/resource roles for internal client management, I should be fine
>>>
>>> Still It would help to have some merging/mapping so from client we don't
>>> have to so much rely on KeyCloak implementation to test roles... Issue is
>>> that realm role can have same name as client role. But once there is always
>>> some pitfall to avoid.
>>>
>>> Thanks
>>>
>>> Regards,
>>>
>>> Johan Bos
>>>
>>> Le 16/12/2015 15:45, Bill Burke a écrit :
>>>
>>> See use-resource-role-mappings switch:
>>>
>>> If set to true, the getResourceAccess("resource-name") roles will be
>>> mapped into isUserInRole, otherwise getRealmAccess is mapped into
>>> isUserInRole
>>>
>>> Not the best I know.  We've been meaning to add some sort of role
>>> mapping facility to the adapter.
>>>
>>> On 12/16/2015 9:17 AM, Johan Bos wrote:
>>>
>>> Why is HttpRequest.isUserInRole(<role>) not capable to return true when
>>> the role is present in the AccessToken.getRealmAccess?
>>>
>>> Regards,
>>>
>>> Johan Bos
>>>
>>> Le 16/12/2015 15:09, Bill Burke a écrit :
>>>
>>> AccessToken.getResourceAccess or AccessToken.getRealmAccess
>>>
>>> On 12/16/2015 4:51 AM, Tim Dudgeon wrote:
>>>
>>> Its not clear to me how you get the assigned roles from the AccessToken.
>>> For instance, is the realm has configured the user to have roles "user"
>>> and "editor" how do I find these in the AccessToken?
>>>
>>> Tim
>>>
>>> On 07/12/2015 02:53, Bill Burke wrote:
>>>
>>> For Java HttpServletRequest.isUserInRole() works.  If you typecast the
>>> principal to KeycloakPrincipal you can obtain the AccessToken.
>>>
>>> On 12/6/2015 5:39 PM, Pavel Maslov wrote:
>>>
>>> Hi everyone,
>>>
>>>
>>> Do Keycloak adapters support user authorization? I mean, of course
>>> they
>>> do :) For example, the API I have secured with Keycloak receives a
>>> Keycloak access token from the client. How can I validate the token
>>> (check user roles) in my code? I am interested in the Java
>>> (wildfly) and
>>> Javascript adapters.
>>>
>>> Manually I am using jwt.io <http://jwt.io><http://jwt.io>
>>> <http://jwt.io> to check the token. I am
>>> just
>>> curious if the Keycloak adapters support smth similar out of the box.
>>>
>>> Thank you for your answers.
>>>
>>>
>>> Regards,
>>> Pavel Maslov, MS
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151217/e2a0ffeb/attachment-0001.html 


More information about the keycloak-user mailing list