[keycloak-user] [Authorization] Get user roles from token

Johan Bos johan.bos at c6.eu
Thu Dec 17 05:41:54 EST 2015


I had the same issue when deploying in eclipse IDE my webapp.
Even if my runtime env. Tomcat 7 had the adapters for keycloak well 
installed into the lib folder, It was detecting it.
But as soon as I needed to make reference to keycloak principal in my 
project and wanted to debug it (inspect what the info in token I could 
used), I got runtime invocation exception.
I solved it by editing the runtime tomcat classpath from eclipse and add 
the needed adapter jars, but not all.
Like you said, some are used by the app server during init that should 
not be part of the runtime dep. otherwise you can also get 
NoClassDefFound on something you don't need.

Regards,

Johan Bos

Le 17/12/2015 11:33, Stian Thorgersen a écrit :
> From the stack trace you added earlier it looks like you've added some 
> dependencies to your WAR you shouldn't add.
>
> On 17 December 2015 at 11:33, Stian Thorgersen <sthorger at redhat.com 
> <mailto:sthorger at redhat.com>> wrote:
>
>     If you are using WildFly you should install the client adapter
>     subsystem (see the docs for instructions). That way you don't have
>     to add any dependencies into your WAR.
>
>     On 17 December 2015 at 11:01, Pavel Maslov
>     <pavel.masloff at gmail.com <mailto:pavel.masloff at gmail.com>> wrote:
>
>         Hi Jonah,
>
>             You don't get these error if you remove the 2 code lines?
>
>         Exactly. However, once I include these 2 lines, I cannot
>         deploy the war file to the Wildfly server.
>
>         I have to point out that there are no errors during
>         build/packaging.
>
>         Regards,
>         Pavel Maslov, MS
>
>         On Thu, Dec 17, 2015 at 10:56 AM, Johan Bos <johan.bos at c6.eu
>         <mailto:johan.bos at c6.eu>> wrote:
>
>             You don't get these error if you remove the 2 code lines?
>             When deploying your apps, it is not enough to add the
>             keycloak core dependency to access the keycloak principal,
>             you also need to add all possible dependency the keycloak
>             lib is relying onto.
>
>             Basically on latest version of keycloak, I added almost
>             everything that comes in the adapter zip to my project/api
>             dependency for runtime.
>             No idea how it was dealt with in previous version. Only
>             dealt with keycloak 1.6 and 1.7.
>
>             Since you had to provide some lib to your server (mine was
>             tomcat 7) to dealt with the keycloak implantation to
>             secure my app, as soon as I needed to acces keycloak token
>             from my app code, I was required to add the libs the
>             adapter for tomcat 7 is providing.
>
>             Regards,
>
>             Johan Bos
>
>             Le 17/12/2015 10:39, Pavel Maslov a écrit :
>>             Guys, I am repeating my question here. Any ideas on this?
>>
>>                 I added the
>>                 *org.keycloak.KeycloakPrincipal* definition in order
>>                 to get the token:
>>
>>
>>                 KeycloakPrincipal kcPrincipal = (KeycloakPrincipal)
>>                 srvl.getUserPrincipal();
>>                 String token =
>>                 kcPrincipal.getKeycloakSecurityContext().getTokenString();
>>
>>                 but cannot deploy the project to the Wildfly server:
>>
>>                 10:23:31,250 INFO
>>                  [org.jboss.resteasy.spi.ResteasyDeployment] (MSC
>>                 service thread 1-2) Deploying
>>                 javax.ws.rs.core.Application: class
>>                 si.liis.apitime.service.ApiTimeApplication
>>                 10:23:31,282 ERROR [org.jboss.msc.service.fail] (MSC
>>                 service thread 1-2) MSC000001: Failed to start
>>                 service
>>                 jboss.undertow.deployment.default-server.default-host./apitime-rest:
>>                 org.jboss.msc.service.StartException in service
>>                 jboss.undertow.deployment.default-server.default-host./apitime-rest:
>>                 Failed to start service
>>                 at
>>                 org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1904)
>>                 [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>>                 at
>>                 java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>>                 [rt.jar:1.7.0_85]
>>                 at
>>                 java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>>                 [rt.jar:1.7.0_85]
>>                 at java.lang.Thread.run(Thread.java:745)
>>                 [rt.jar:1.7.0_85]
>>                 Caused by: java.lang.NoClassDefFoundError:
>>                 com/google/zxing/WriterException
>>                 at java.lang.Class.getDeclaredMethods0(Native Method)
>>                 [rt.jar:1.7.0_85]
>>                 at
>>                 java.lang.Class.privateGetDeclaredMethods(Class.java:2625)
>>                 [rt.jar:1.7.0_85]
>>                 at
>>                 java.lang.Class.privateGetPublicMethods(Class.java:2743)
>>                 [rt.jar:1.7.0_85]
>>                 at java.lang.Class.getMethods(Class.java:1480)
>>                 [rt.jar:1.7.0_85]
>>                 at
>>                 org.jboss.resteasy.spi.metadata.ResourceBuilder.fromAnnotations(ResourceBuilder.java:747)
>>                 at
>>                 org.jboss.resteasy.spi.metadata.ResourceBuilder.rootResourceFromAnnotations(ResourceBuilder.java:700)
>>                 at
>>                 org.jboss.resteasy.plugins.server.resourcefactory.POJOResourceFactory.<init>(POJOResourceFactory.java:29)
>>                 at
>>                 org.jboss.resteasy.core.ResourceMethodRegistry.addPerRequestResource(ResourceMethodRegistry.java:75)
>>                 at
>>                 org.jboss.resteasy.spi.ResteasyDeployment.registration(ResteasyDeployment.java:400)
>>                 at
>>                 org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:241)
>>                 at
>>                 org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:112)
>>                 at
>>                 org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
>>                 at
>>                 io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
>>                 at
>>                 org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:79)
>>                 at
>>                 io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
>>                 at
>>                 io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:220)
>>                 at
>>                 io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:125)
>>                 at
>>                 io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:508)
>>                 at
>>                 org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:88)
>>                 at
>>                 org.wildfly.extension.undertow.deployment.UndertowDeploymentService.start(UndertowDeploymentService.java:72)
>>                 at
>>                 org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
>>                 [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>>                 at
>>                 org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
>>                 [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>>                 ... 3 more
>>
>>                 10:23:31,285 ERROR
>>                 [org.jboss.as.controller.management-operation]
>>                 (management-handler-thread - 1) JBAS014613: Operation
>>                 ("redeploy") failed - address: ([("deployment" =>
>>                 "apitime-rest.war")]) - failure description:
>>                 {"JBAS014671: Failed services" =>
>>                 {"jboss.undertow.deployment.default-server.default-host./apitime-rest"
>>                 => "org.jboss.msc.service.StartException in service
>>                 jboss.undertow.deployment.default-server.default-host./apitime-rest:
>>                 Failed to start service
>>                     Caused by: java.lang.NoClassDefFoundError:
>>                 com/google/zxing/WriterException"}}
>>                 10:23:31,285 ERROR [org.jboss.as.server]
>>                 (management-handler-thread - 1) JBAS015860: Redeploy
>>                 of deployment "apitime-rest.war" was rolled back with
>>                 the following failure message:
>>                 {"JBAS014671: Failed services" =>
>>                 {"jboss.undertow.deployment.default-server.default-host./apitime-rest"
>>                 => "org.jboss.msc.service.StartException in service
>>                 jboss.undertow.deployment.default-server.default-host./apitime-rest:
>>                 Failed to start service
>>                     Caused by: java.lang.NoClassDefFoundError:
>>                 com/google/zxing/WriterException"}}
>>
>>
>>                 I am using Wildfly 8.2.0 with Keycloak adapter 1.3.1.
>>                 Any solution?
>>                 Thanks.
>>
>>
>>             Regards,
>>             Pavel Maslov, MS
>>
>>             On Wed, Dec 16, 2015 at 10:51 PM, Johan B.
>>             <johan.bos at c6.eu <mailto:johan.bos at c6.eu>> wrote:
>>
>>                 You answered it. I was not familiar with the whole
>>                 setting list. My question was: does something in the
>>                 ui make the setting change or is it a manual setup?
>>                 I think you are saying it is only manual and it is fine.
>>                 It would probably best for future version to have all
>>                 these extra adapter setting avail. From admin UI so
>>                 people has the switch/checkbox or input form to make
>>                 direct application change to the json
>>                 Moreover since you have a download installation
>>                 button and a json setting viewer
>>
>>                 Le mercredi 16 décembre 2015, Johan Bos
>>                 <johan.bos at c6.eu <mailto:johan.bos at c6.eu>> a écrit :
>>
>>                     oh when you said:
>>
>>                     use-resource-role-mappings
>>
>>                     it is only available through the keycloak.json
>>
>>                     Nothing from Keycloak Admin UI allows you to set the options, so have the installation file ready with everything ?
>>
>>                     Regards,
>>
>>                     Johan Bos
>>
>>                     Le 16/12/2015 16:33, Johan Bos a écrit :
>>>                     So it is one or the other.
>>>                     The switch is at realm level or per clients?
>>>
>>>                     As I tend to make realm role for securing the
>>>                     clients only and client/resource roles for
>>>                     internal client management, I should be fine
>>>
>>>                     Still It would help to have some merging/mapping
>>>                     so from client we don't have to so much rely on
>>>                     KeyCloak implementation to test roles... Issue
>>>                     is that realm role can have same name as client
>>>                     role. But once there is always some pitfall to
>>>                     avoid.
>>>
>>>                     Thanks
>>>
>>>                     Regards,
>>>
>>>                     Johan Bos
>>>
>>>                     Le 16/12/2015 15:45, Bill Burke a écrit :
>>>>                     See use-resource-role-mappings switch:
>>>>
>>>>                     If set to true, the
>>>>                     getResourceAccess("resource-name") roles will be
>>>>                     mapped into isUserInRole, otherwise
>>>>                     getRealmAccess is mapped into
>>>>                     isUserInRole
>>>>
>>>>                     Not the best I know.  We've been meaning to add
>>>>                     some sort of role
>>>>                     mapping facility to the adapter.
>>>>
>>>>                     On 12/16/2015 9:17 AM, Johan Bos wrote:
>>>>>                     Why is HttpRequest.isUserInRole(<role>) not
>>>>>                     capable to return true when
>>>>>                     the role is present in the
>>>>>                     AccessToken.getRealmAccess?
>>>>>
>>>>>                     Regards,
>>>>>
>>>>>                     Johan Bos
>>>>>
>>>>>                     Le 16/12/2015 15:09, Bill Burke a écrit :
>>>>>>                     AccessToken.getResourceAccess or
>>>>>>                     AccessToken.getRealmAccess
>>>>>>
>>>>>>                     On 12/16/2015 4:51 AM, Tim Dudgeon wrote:
>>>>>>>                     Its not clear to me how you get the assigned
>>>>>>>                     roles from the AccessToken.
>>>>>>>                     For instance, is the realm has configured
>>>>>>>                     the user to have roles "user"
>>>>>>>                     and "editor" how do I find these in the
>>>>>>>                     AccessToken?
>>>>>>>
>>>>>>>                     Tim
>>>>>>>
>>>>>>>                     On 07/12/2015 02:53, Bill Burke wrote:
>>>>>>>>                     For Java HttpServletRequest.isUserInRole()
>>>>>>>>                     works.  If you typecast the
>>>>>>>>                     principal to KeycloakPrincipal you can
>>>>>>>>                     obtain the AccessToken.
>>>>>>>>
>>>>>>>>                     On 12/6/2015 5:39 PM, Pavel Maslov wrote:
>>>>>>>>>                     Hi everyone,
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>                     Do Keycloak adapters support user
>>>>>>>>>                     authorization? I mean, of course
>>>>>>>>>                     they
>>>>>>>>>                     do :) For example, the API I have secured
>>>>>>>>>                     with Keycloak receives a
>>>>>>>>>                     Keycloak access token from the client. How
>>>>>>>>>                     can I validate the token
>>>>>>>>>                     (check user roles) in my code? I am
>>>>>>>>>                     interested in the Java
>>>>>>>>>                     (wildfly) and
>>>>>>>>>                     Javascript adapters.
>>>>>>>>>
>>>>>>>>>                     Manually I am using jwt.io <http://jwt.io>
>>>>>>>>>                     <http://jwt.io> <http://jwt.io> to check
>>>>>>>>>                     the token. I am
>>>>>>>>>                     just
>>>>>>>>>                     curious if the Keycloak adapters support
>>>>>>>>>                     smth similar out of the box.
>>>>>>>>>
>>>>>>>>>                     Thank you for your answers.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>                     Regards,
>>>>>>>>>                     Pavel Maslov, MS
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>                     _______________________________________________
>>>>>>>>>
>>>>>>>>>                     keycloak-user mailing list
>>>>>>>>>                     keycloak-user at lists.jboss.org
>>>>>>>>>                     https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>
>>>>>>>>>
>>>>>>>                     _______________________________________________
>>>>>>>                     keycloak-user mailing list
>>>>>>>                     keycloak-user at lists.jboss.org
>>>>>>>                     https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>
>>>>>>>
>>>>>
>>>>>
>>>>>                     _______________________________________________
>>>>>                     keycloak-user mailing list
>>>>>                     keycloak-user at lists.jboss.org
>>>>>                     https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>>
>>>
>>>
>>>
>>>                     _______________________________________________
>>>                     keycloak-user mailing list
>>>                     keycloak-user at lists.jboss.org
>>>                     https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>                 _______________________________________________
>>                 keycloak-user mailing list
>>                 keycloak-user at lists.jboss.org
>>                 <mailto:keycloak-user at lists.jboss.org>
>>                 https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>
>
>
>         _______________________________________________
>         keycloak-user mailing list
>         keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151217/69f5464c/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: johan_bos.vcf
Type: text/x-vcard
Size: 335 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151217/69f5464c/attachment-0001.vcf 


More information about the keycloak-user mailing list