[keycloak-user] Keycloak adapter with policies returns bad request
Pedro Igor
psilva at redhat.com
Wed Dec 7 19:11:59 EST 2016
Hi Richard,
In your first message, it seems the token endpoint is http://127.0.0.1:8080/auth/realms/local.development/protocol/openid-connect/token.Here you are using a realm "local.development".
In your last message with the postman request, you are using a token endpoint like this /auth/realms/development/protocol/openid-connect/token. Where the realm is "development", the same you have used in keycloak.json.
Would that be a misconfiguration or just a typo ?
Besides, what happens when you send that postman request to the server ? Are you able to get a AT ?
This is pretty much what the enforcer does during initialization, obtain a AT before querying the Protection API for protected resources. And is what your stack trace shows.
If you are not able to obtain a token using the postman request, it probably means you have something wrong with your realm/client configuration on the server.
Last question, are you able to run any of our authorization examples ? Or even successfully follow our Getting Started guide ?
Thanks.
Pedro Igor
On 12/7/2016 12:05:10 PM, Richard van Duijn <rjvduijn at gmail.com> wrote:
Forgot to include the postman request.. here it is:
POST /auth/realms/development/protocol/openid-connect/token HTTP/1.1
Host: 127.0.0.1:8080 [http://127.0.0.1:8080]
Authorization: Basic YmFja2VuZC1jbGllbnQ6NmNlNzE4YWQtMmFiMS00MmZmLWJmMDEtMzVhMDNlYWIzYWVl
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials
/Richard
Op wo 7 dec. 2016 om 15:00 schreef Richard van Duijn <rjvduijn at gmail.com [mailto:rjvduijn at gmail.com]>:
Somehow I do not get any logs in keycloak server.log. I've attempted to change the loglevel in standalone.xml to TRACE, but to no avail. Maybe you can give me a pointer to which logger I should change to see the correct logs show up.
Besides that I've done some debugging using Postman as well. Using the following request I get the message:
{
"error": "invalid_client",
"error_description": "Bearer-only not allowed"
}
This is weird to me as the keycloak.json file states that I am connecting to a bearer-only client.
Hope this helps to clarify it for you.
My keycloak.json configuration file looks like this:
{
"realm": "development",
"bearer-only": true,
"auth-server-url": "http://127.0.0.1:8080/auth [http://127.0.0.1:8080/auth]",
"ssl-required": "external",
"resource": "backend-client",
"use-resource-role-mappings": true,
"credentials": {
"secret": "SECRETHERE"
},
"policy-enforcer": {}
}
Hope this helps to clarify some of your questions.
/Richard
Op wo 7 dec. 2016 om 12:47 schreef Pedro Igor <psilva at redhat.com [mailto:psilva at redhat.com]>:
Do you get anything in server logs ? It may be related with invalid client credentials.
On 12/6/2016 12:41:38 PM, Richard van Duijn <rjvduijn at gmail.com [mailto:rjvduijn at gmail.com]> wrote:
I'm creating a POC application using playframework and angular. The
frontend will be protected using the keycloak javascript adapter and the
backend rest services will be a bearer-only application.
Without the policies turned on in the keycloak.json everything goes well.
But when I turn the policies by adding "policy-enforcer": { } on for the
rest services, I get an 400 Bad Request response from the Keycloak server
during initialization.
After some debugging I noticed it had to do with the initialization of the
PolicyEnforcer which attempts to call the following server keycloak
endpoint:
http://127.0.0.1:8080/auth/realms/local.development/protocol/openid-connect/token [http://127.0.0.1:8080/auth/realms/local.development/protocol/openid-connect/token]
Below you will find the stacktrace and request and response objects.
Hope someone can point me in the right direction. For instance how to
configure keycloak logging to get some more details on what the reason for
the 400 bad request is.
Many many thanks!
/Richard
*Stacktrace*:
at
org.keycloak.authorization.client.util.HttpMethod.execute(HttpMethod.java:92)
at
org.keycloak.authorization.client.util.HttpMethodResponse$2.execute(HttpMethodResponse.java:48)
at
org.keycloak.authorization.client.AuthzClient.obtainAccessToken(AuthzClient.java:112)
at
org.keycloak.authorization.client.AuthzClient.protection(AuthzClient.java:91)
at
org.keycloak.adapters.authorization.PolicyEnforcer.(PolicyEnforcer.java:57)
at
org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(KeycloakDeploymentBuilder.java:126)
at
org.keycloak.adapters.KeycloakDeploymentBuilder.build(KeycloakDeploymentBuilder.java:135)
at
security.KeycloakSecurityModule.configure(KeycloakSecurityModule.java:53)
at com.google.inject.AbstractModule.configure(AbstractModule.java:62)
... many google guice calls ...
at
play.core.server.DevServerStart$$anonfun$mainDev$1$$anon$1$$anonfun$get$1.apply(DevServerStart.scala:129)
at
play.core.server.DevServerStart$$anonfun$mainDev$1$$anon$1$$anonfun$get$1.apply(DevServerStart.scala:121)
*Request object*:
builder = {RequestBuilder at 12557}
method = "POST"
charset = {UTF_8 at 12563} "UTF-8"
version = null
uri = {URI at 12564} "
http://127.0.0.1:8080/auth/realms/local.development/protocol/openid-connect/token [http://127.0.0.1:8080/auth/realms/local.development/protocol/openid-connect/token]
"
headergroup = {HeaderGroup at 12565} "[Authorization: Basic
YmFja2VuZC1jbGllbnQ6NmNlNzE4YWQtMmFiMS00MmZmLWJmMDEtMzVhMDNlYWIzYWVl]"
entity = null
parameters = {LinkedList at 12566} size = 1
0 = {BasicNameValuePair at 12576} "grant_type=client_credentials"
config = null
*Response object*:
HTTP/1.1 400 Bad Request [Connection: keep-alive, X-Powered-By: Undertow/1,
Server: WildFly/10, Content-Type: application/json, Content-Length: 72,
Date: Tue, 06 Dec 2016 12:24:28 GMT]
org.apache.http.conn.BasicManagedEntity at 1f8d1780
response = {$Proxy16 at 12554} "HTTP/1.1 400 Bad Request [Connection:
keep-alive, X-Powered-By: Undertow/1, Server: WildFly/10, Content-Type:
application/json, Content-Length: 72, Date: Tue, 06 Dec 2016 12:24:28 GMT]
org.apache.http.conn.BasicManagedEntity at 1f8d1780"
h = {CloseableHttpResponseProxy at 12583}
original = {BasicHttpResponse at 12584} "HTTP/1.1 400 Bad Request
[Connection: keep-alive, X-Powered-By: Undertow/1, Server: WildFly/10,
Content-Type: application/json, Content-Length: 72, Date: Tue, 06 Dec 2016
12:24:28 GMT] org.apache.http.conn.BasicManagedEntity at 1f8d1780"
statusline = {BasicStatusLine at 12556} "HTTP/1.1 400 Bad Request"
ver = {HttpVersion at 12586} "HTTP/1.1"
code = 400
reasonPhrase = "Bad Request"
entity = {BasicManagedEntity at 12555}
reasonCatalog = {EnglishReasonPhraseCatalog at 12588}
locale = {Locale at 12589} "en_US"
headergroup = {HeaderGroup at 12590} "[Connection: keep-alive,
X-Powered-By: Undertow/1, Server: WildFly/10, Content-Type:
application/json, Content-Length: 72, Date: Tue, 06 Dec 2016 12:24:28 GMT]"
params = {ClientParamsStack at 12591}
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org [mailto:keycloak-user at lists.jboss.org]
https://lists.jboss.org/mailman/listinfo/keycloak-user [https://lists.jboss.org/mailman/listinfo/keycloak-user]
More information about the keycloak-user
mailing list