[keycloak-user] Keycloack 3.4.0.Final - Basic and bearer only authentication fails

Nicolas DUMINIL nicolas.duminil at simplex-software.fr
Wed Dec 27 10:18:09 EST 2017 

Hi,

 

I'm using Keycloak 3.4.0.Final and Wildfy 10.1.0 with the right adapter. I
have the following realm:

 

{
  "id": "fd12b07c-8fdf-4e94-9688-cf80387a06c2",
  "realm": "demo-realm",

  "enabled": true,
  "sslRequired": "external",

   ...
  "roles": {
    "realm": [

      ...

      {
        "id": "c67ee573-05fa-4253-a1e0-5c09b3e9e162",
        "name": "customer-manager-role",
        "scopeParamRequired": false,
        "composite": false,
        "clientRole": false,
        "containerId": "fd12b07c-8fdf-4e94-9688-cf80387a06c2"
      },

      ......

    ],

    "client": {
      "curl": [],

      ...

    }

  },

  "groups": [],
  "defaultRoles": [
    "offline_access",
    "uma_authorization"
  ],
  "requiredCredentials": [
    "password"
  ],
  ...

  "clients": [
    {
      "id": "9d43b813-3232-49c3-ba5d-f097e6a56618",
      "clientId": "curl",
      "surrogateAuthRequired": false,
      "enabled": true,
      "clientAuthenticatorType": "client-secret",
      "secret": "**********",
      "redirectUris": [
        " <http://localhost> http://localhost"
      ],
      "webOrigins": [
        " <http://localhost> http://localhost"
      ],
      "notBefore": 0,
      "bearerOnly": false,
      "consentRequired": false,
      "standardFlowEnabled": true,
      "implicitFlowEnabled": false,
      "directAccessGrantsEnabled": true,
      "serviceAccountsEnabled": false,
      "publicClient": true,
      "frontchannelLogout": false,
      "attributes": {},
      "fullScopeAllowed": true,
      "nodeReRegistrationTimeout": -1,
      "protocolMappers": [

         ...
       ],

       ...

    },
    {
      "id": "fa8edc2a-51c1-4b04-8939-8a0838d21130",
      "clientId": "customer-manager-client",
      "surrogateAuthRequired": false,
      "enabled": true,
      "clientAuthenticatorType": "client-secret",
      "secret": "**********",
      "redirectUris": [
        " <http://localhost:8080/customer-management/*>
http://localhost:8080/customer-management/*"
      ],
      "webOrigins": [
        " <http://localhost:8080> http://localhost:8080"
      ],
      "notBefore": 0,
      "bearerOnly": true,
      "consentRequired": false,
      "standardFlowEnabled": true,
      "implicitFlowEnabled": false,
      "directAccessGrantsEnabled": false,
      "serviceAccountsEnabled": false,
      "publicClient": false,
      "frontchannelLogout": false,
      "attributes": {},
      "fullScopeAllowed": true,
      "nodeReRegistrationTimeout": -1,
      "protocolMappers": [

       ...

      ]

      ......

    },

    ...

  ]  

}

 

This file has been obtained by the export function in the console. Strange
enough, the users aren't exported and ther is no button "Export users" as it
exists "Export groups and roles" and "export clients".

 

On the Wildfly side, I have a war containing a couple of JAX-RS services,
which web.xml is as follows:

 

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.1" xmlns=" <http://xmlns.jcp.org/xml/ns/javaee>
http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="
<http://www.w3.org/2001/XMLSchema-instance>
http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="
<http://xmlns.jcp.org/xml/ns/javaee
http:/xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd>
http://xmlns.jcp.org/xml/ns/javaee
http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd">
  <module-name>customer-management-rest</module-name>
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>customers</web-resource-name>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>customer-manager-role</role-name>
    </auth-constraint>
  </security-constraint>
  <login-config>
    <auth-method>KEYCLOAK</auth-method>
    <realm-name>demo-realm</realm-name>
  </login-config>
  <security-role>
    <role-name>customer-manager-role</role-name>
  </security-role>
</web-app>

The idea is that the services be accessed via the “customer-manager-role”
which is assigned to the user “customer-manager-user”. After deployment,
using the following curl request:

 

curl
<http://customer-manager-user:toto@localhost:8080/customer-management/servic
es/customers>
http://customer-manager-user:toto@localhost:8080/customer-management/service
s/customers

 

replies:

 

<html><head><title>Error</title></head><body>Forbidden</body></html>

 

In the previous curl request, customer-manager-user is the user name created
on te demo-realm realm. In its Role Mapings list i have
"customer-manager-role" which is a role created on the same realm. And
"toto" here is the password assigned to the user customer-manager-user. So I
would expect that the basic authentication works but obviously it doesn't.
The same happens if I’m trying bearerOnly by including the token obtained
via the “curl” client. What could be wrong here ? Could that have anything
to do with the fact that there is no any trace of my “customer-manager-user”
in the realm ?

 

Many thanks in advance.

 

Kind regards,

 

Nicolas

More information about the keycloak-user mailing list