[keycloak-user] Using a role to allow access to a resource

Sebastien Blanc sblanc at redhat.com
Tue Nov 1 05:13:24 EDT 2016

Your token will contain the roles of the user, not the roles of the client.
Does your user have the roles assigned ?

On Tue, Nov 1, 2016 at 9:41 AM, Guus der Kinderen <
guus.der.kinderen at gmail.com> wrote:

> Hi,
> While trying to authenticate a user to obtain a resource, I'm running into
> an issue. It's likely caused by my misunderstanding of how things are
> supposed to work, rather than some kind of bug. I'd love to be corrected.
> Using Keycloak 1.9.2, I've created a realm with two clients. One client is
> using the Javascript adapter[1] to create a very simply UI, that lets the
> user authenticate. The resulting access token is used to make a request to
> a REST-like service, which employs the Java Servlet Filter Adapter[2].
> We're planning to have multiple resource services like this, each exposing
> data for which different levels of authorization might be required.
> I'd like our REST-like service to provide data only when the user that
> requests the data has an access token that is issued to a front-end that is
> allowed to access this data. To achieve this, I tried employing the use of
> a role. I think this is where I'm messing up somehow.
> What I did:
> In the realm, I've a added a "realm role" ( "scope param required" /
> "composite roles" both disabled)
> In the client configuration that's used by the Javascript UI (which
> generates the access token), I've made these changes to the "scope" tab:
>    - Disabled "Full Scope Allowed"
>    - Moved the role that I added earlier from "available roles" to
>    "assigned roles"
> Finally, I've modified the implementation of the REST-like service to check
> for the new role, by doing something like this simplified code in a servlet
> (that's covered by the OIDC Filter):
> KeycloakSecurityContext securityContext = (KeycloakSecurityContext)
> request.getAttribute( KeycloakSecurityContext.class.getName() );
> if ( !securityContext.getToken().getRealmAccess().isUserInRole(
> "the-role-that-I-added" ) )
> {
>     response.setStatus( HttpServletResponse.SC_FORBIDDEN );
>     return;
> }
> This throws a NullPointerException, as getRealmAccess() returns null.
> While debugging the code, it's appears that the access token itself is
> received and valid - it's the scope / role check that does not appear to
> come through.
> I finally used the service at https://jwt.io/ to inspect the content of
> the
> access token that's being generated. I expected the 'the-role-that-I-added"
> value to be in there somewhere, but that's not the case.
> That's where I thought it'd be a good idea to get some advice, and here we
> are. I'd love some feedback.
> Regards,
>   Guus
> [1]:
> https://keycloak.gitbooks.io/securing-client-applications-
> guide/content/topics/oidc/javascript-adapter.html
> [2]:
> https://keycloak.gitbooks.io/securing-client-applications-
> guide/content/topics/oidc/java/servlet-filter-adapter.html
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list