[keycloak-user] Noob question -- 'forbidden' on demo after redirect

Bill Burke bburke at redhat.com
Fri Feb 13 19:27:14 EST 2015


You don't have constriants set up correctly in web.xml?  You don't have 
the appropriate scope for the application set up?

On 2/13/2015 4:47 PM, Walter Rice wrote:
> Hi,
>
> I am trying to set up the demo as per the youtube videos (#1 and #2). I
> am using keycloak 1.0.5. I have set up per the video (i think), however
> things aren't working as expected.
>
> I browse to http://localhost:8080/customer-portal/ and all is fine. I
> click Customer Listing and I am redirected to login page as expected. I
> enter my name/pw , this is successful and then I am redirected back to
> http://localhost:8080/customer-portal/customers/view.jsp but the page is
> 'Forbidden' (redirect uri appears ok here?)
>
> I am using the 'full' version with bundled wildfly server.
>
>
>
> *customer app:*
> keycloak file
>
> {
> "realm": "cryo198",
> "realm-public-key":
> "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCFnsEHg1o9UMBpMoHqLxYesXgDsTHnv1vF0AgrznxAcLfmYUdjvBNdIXZNfB7I7tG9OMHvX21h9arHdcdg2qqk9adLjHuImg/LhYHVOrosJ/sybohrR/Im+k1fTsw/5p/nwZKOF1DLL4/4SZAY2h19FGCi0ZgIvE80psq98UvCNQIDAQAB",
> "auth-server-url": "http://localhost:8080/auth",
> "ssl-required": "external",
> "resource": "customer-portal",
> "credentials": {
> "secret": "a0872aa0-113d-435c-a9d6-56cd9b270e22"
> }
> }
>
> *web.xml*
>      <login-config>
>          <auth-method>KEYCLOAK</auth-method>
>          <realm-name>cryo198</realm-name>
>      </login-config>
>
> *redirect URI:*
> /customer-portal/*
>
> *database app:*
> {
>      "realm": "cryo198",
>      "realm-public-key":
> "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCFnsEHg1o9UMBpMoHqLxYesXgDsTHnv1vF0AgrznxAcLfmYUdjvBNdIXZNfB7I7tG9OMHvX21h9arHdcdg2qqk9adLjHuImg/LhYHVOrosJ/sybohrR/Im+k1fTsw/5p/nwZKOF1DLL4/4SZAY2h19FGCi0ZgIvE80psq98UvCNQIDAQAB",
>      "auth-server-url": "http://localhost:8080/auth",
>      "ssl-required": "NONE",
>      "resource": "database",
>      "bearer-only": "true"
> }
>
>
>
> *web.xml*
>      <login-config>
>          <auth-method>KEYCLOAK</auth-method>
>          <realm-name>cryo198</realm-name>
>      </login-config>
>
> *redirect URI:*
> n./a ..set as bearer only
>
> *deployed apps:*
> $
> /c/tools/keycloak-appliance-dist-all-1.0.5.Final/keycloak-appliance-dist-all-1.0.5.Final/keycloak/bin/jboss-cli.sh
> -c --command="deploy -l"
> NAME                   RUNTIME-NAME           ENABLED STATUS
> admin-access.war       admin-access.war       true    OK
> angular-product.war    angular-product.war    true    OK
> auth-server.war        auth-server.war        true    OK
> customer-portal-js.war customer-portal-js.war true    OK
> customer-portal.war    customer-portal.war    true    OK
> database.war           database.war           true    OK
> product-portal.war     product-portal.war     true    OK
>
>
>
>
>
>
> *Log:*
> 2015-02-13 21:22:29,665 DEBUG
> [org.keycloak.adapters.PreAuthActionsHandler] (default task-41)
> adminRequest http://localhost:8080/customer-portal/custo
> mers/view.jsp
> 2015-02-13 21:22:29,667 TRACE
> [org.keycloak.adapters.RequestAuthenticator] (default task-41) -->
> authenticate()
> 2015-02-13 21:22:29,668 TRACE
> [org.keycloak.adapters.RequestAuthenticator] (default task-41) try bearer
> 2015-02-13 21:22:29,669 TRACE
> [org.keycloak.adapters.RequestAuthenticator] (default task-41) try oauth
> 2015-02-13 21:22:29,669 DEBUG
> [org.keycloak.adapters.RequestAuthenticator] (default task-41) session
> was null, returning null
> 2015-02-13 21:22:29,670 DEBUG
> [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-41)
> there was no code
> 2015-02-13 21:22:29,670 DEBUG
> [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-41)
> redirecting to auth server
> 2015-02-13 21:22:29,671 DEBUG
> [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-41)
> callback uri: http://localhost:8080/customer-portal/
> customers/view.jsp
> 2015-02-13 21:22:29,672 DEBUG
> [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-41)
> Sending redirect to login page: http://localhost:808
> 0/auth/realms/cryo198/tokens/login?client_id=customer-portal&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fcustomer-portal%2Fcustomers%2Fview.jsp&state
> =2%2F8185a8ea-5a38-4a91-b990-1b32ccabb2e8&login=true
> 2015-02-13 21:22:29,701 DEBUG
> [org.keycloak.services.resources.TokenService] (default task-42)
> replacing relative valid redirect with: http://localhos
> t:8080/customer-portal/*
> 2015-02-13 21:22:29,702 DEBUG
> [org.keycloak.services.managers.AuthenticationManager] (default task-42)
> Could not find cookie: KEYCLOAK_IDENTITY
> 2015-02-13 21:22:46,300 DEBUG
> [org.keycloak.services.resources.TokenService] (default task-43)
> replacing relative valid redirect with: http://localhos
> t:8080/customer-portal/*
> 2015-02-13 21:22:46,301 DEBUG
> [org.keycloak.services.managers.AuthenticationManager] (default task-43)
> validating password for user: walt
> 2015-02-13 21:22:46,306 DEBUG
> [org.keycloak.services.managers.AuthenticationManager] (default task-43)
> Expiring remember me cookie
> 2015-02-13 21:22:46,307 DEBUG
> [org.keycloak.services.managers.AuthenticationManager] (default task-43)
> Expiring cookie: KEYCLOAK_REMEMBER_ME path: /au
> th/realms/cryo198
> 2015-02-13 21:22:46,308 DEBUG
> [org.keycloak.services.resources.flows.OAuthFlows] (default task-43)
> processAccessCode: isResource: true
> 2015-02-13 21:22:46,308 DEBUG
> [org.keycloak.services.resources.flows.OAuthFlows] (default task-43)
> processAccessCode: go to oauth page?: false
> 2015-02-13 21:22:46,329 DEBUG
> [org.keycloak.services.resources.flows.OAuthFlows] (default task-43)
> redirectAccessCode: state: 2/8185a8ea-5a38-4a91-b99
> 0-1b32ccabb2e8
> 2015-02-13 21:22:46,340 DEBUG
> [org.keycloak.services.managers.AuthenticationManager] (default task-43)
> Create login cookie - name: KEYCLOAK_IDENTITY,
> path: /auth/realms/cryo198, max-age: -1
> 2015-02-13 21:22:46,387 DEBUG
> [org.keycloak.adapters.PreAuthActionsHandler] (default task-44)
> adminRequest http://localhost:8080/customer-portal/custo
> mers/view.jsp?code=zf9VUvG6-QkAWtF8xDFcJfnBnrY.OTY1YjllMzMtZDdlNS00YWQwLWEwMzgtZjIzMTJhODZjMTIx&state=2%2F8185a8ea-5a38-4a91-b990-1b32ccabb2e8
> 2015-02-13 21:22:46,388 TRACE
> [org.keycloak.adapters.RequestAuthenticator] (default task-44) -->
> authenticate()
> 2015-02-13 21:22:46,389 TRACE
> [org.keycloak.adapters.RequestAuthenticator] (default task-44) try bearer
> 2015-02-13 21:22:46,389 TRACE
> [org.keycloak.adapters.RequestAuthenticator] (default task-44) try oauth
> 2015-02-13 21:22:46,389 DEBUG
> [org.keycloak.adapters.RequestAuthenticator] (default task-44) session
> was null, returning null
> 2015-02-13 21:22:46,390 DEBUG
> [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-44)
> there was a code, resolving
> 2015-02-13 21:22:46,390 DEBUG
> [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-44)
> checking state cookie for after code
> 2015-02-13 21:22:46,390 DEBUG
> [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-44) **
> reseting application state cookie
> 2015-02-13 21:22:46,477 DEBUG
> [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-44)
> Token Verification succeeded!
> 2015-02-13 21:22:46,478 DEBUG
> [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-44)
> successful authenticated
> 2015-02-13 21:22:46,478 TRACE
> [org.keycloak.adapters.RefreshableKeycloakSecurityContext] (default
> task-44) checking whether to refresh.
> 2015-02-13 21:22:46,478 TRACE
> [org.keycloak.adapters.undertow.KeycloakUndertowAccount] (default
> task-44) use realm role mappings
> 2015-02-13 21:22:46,479 DEBUG
> [org.keycloak.adapters.wildfly.WildflyRequestAuthenticator] (default
> task-44) propagate security context to wildfly
> 2015-02-13 21:22:46,481 TRACE
> [org.keycloak.adapters.RefreshableKeycloakSecurityContext] (default
> task-44) checking whether to refresh.
> 2015-02-13 21:22:46,484 DEBUG
> [org.keycloak.adapters.RequestAuthenticator] (default task-44) AUTHENTICATED
> 2015-02-13 21:22:46,502 DEBUG
> [org.keycloak.adapters.PreAuthActionsHandler] (default task-46)
> adminRequest http://localhost:8080/customer-portal/custo
> mers/view.jsp
> 2015-02-13 21:22:46,505 TRACE
> [org.keycloak.adapters.RequestAuthenticator] (default task-46) -->
> authenticate()
> 2015-02-13 21:22:46,506 TRACE
> [org.keycloak.adapters.RequestAuthenticator] (default task-46) try bearer
> 2015-02-13 21:22:46,506 TRACE
> [org.keycloak.adapters.RequestAuthenticator] (default task-46) try oauth
> 2015-02-13 21:22:46,507 DEBUG
> [org.keycloak.adapters.undertow.KeycloakUndertowAccount] (default
> task-46) session is active
> 2015-02-13 21:22:46,508 DEBUG
> [org.keycloak.adapters.RequestAuthenticator] (default task-46) Cached
> account found
> 2015-02-13 21:22:46,508 DEBUG
> [org.keycloak.adapters.wildfly.WildflyRequestAuthenticator] (default
> task-46) propagate security context to wildfly
> 2015-02-13 21:22:46,509 DEBUG
> [org.keycloak.adapters.RequestAuthenticator] (default task-46)
> AUTHENTICATED: was cached
> 2015-02-13 21:22:46,510 DEBUG
> [org.keycloak.adapters.AuthenticatedActionsHandler] (default task-46)
> AuthenticatedActionsValve.invoke http://localhost:
> 8080/customer-portal/customers/view.jsp
>
>
> Many thanks
> W
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-user mailing list