[keycloak-user] Issue with Bearer only auth

Tero Ahonen Tero.Ahonen at cybercom.com
Fri Nov 6 08:06:21 EST 2015


At first I had

<security-constraint>
<web-resource-collection>
<web-resource-name>foobar</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
             <http-method>POST</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

Then added

<auth-constraint>
<role-name>*</role-name>
</auth-constraint>

And it started working.

So without auth-constraint all request are ok even token is not present or valid.

Br,
Tero




On 06 Nov 2015, at 14:59 PM, Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com>> wrote:

Did you put any security constraints on the endpoints?

On 6 November 2015 at 12:36, Tero Ahonen <Tero.Ahonen at cybercom.com<mailto:Tero.Ahonen at cybercom.com>> wrote:
Hi,

I have a rest endpoint running on wildfly 9.

Wildfly and application is setup to use Keycloak and request to endpoints are intercepted with keycloak adapter. But is seems to be that it is not working. If auth header is not present keycloak just skips authentication and lets all request thru. It doesn’t matter do I use curl or browser.

Wilfly logs says (last line comes from servlet filter)

2015-11-06 13:10:23,962 DEBUG [org.keycloak.adapters.PreAuthActionsHandler] (default task-17) adminRequest https://localhost:8443/foobar/endpoint
2015-11-06 13:10:23,969 TRACE [org.keycloak.adapters.RequestAuthenticator] (default task-17) --> authenticate()
2015-11-06 13:10:23,969 TRACE [org.keycloak.adapters.RequestAuthenticator] (default task-17) try bearer
2015-11-06 13:10:23,969 DEBUG [org.keycloak.adapters.RequestAuthenticator] (default task-17) NOT_ATTEMPTED: bearer only
2015-11-06 13:10:23,970 DEBUG [org.keycloak.adapters.AuthenticatedActionsHandler] (default task-17) AuthenticatedActionsValve.invoke https://localhost:8443/foobar/endpoint
2015-11-06 13:10:23,970 INFO  [stdout] (default task-17) GET:/foobar/endpoint


If I add Authorization headar like this

Authorization: Bearer 123

I get HTTP/1.1 401 Unauthorized

WWW-Authenticate: Bearer realm="saas-pilot", error="invalid_token", error_description="Couldn't parse token”


Is there something that I dont understand?

I have tried with web.xml/keycloak.json and keycloak subsystem configuration methods, same outcome.

Br,
Tero




_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151106/65234b21/attachment.html 


More information about the keycloak-user mailing list