[keycloak-user] Using postman to test keycloak protected app

Stephane Granger stephane.granger at gmail.com
Mon Mar 20 16:48:13 EDT 2017 

Hi,

I'm having problems setting up a postman collection to test my REST APIs.
I have first created the REST API without protecting it and test it with
Postman without a problem.

I then added protection with Keycloak and ran into issues with Postman (403
error).   I wasn't sure if the problem was in my authorization
configuration or in my Postman collection.  So, to make sure it wasn't an
authorization configuration problem, I decided to create a Postman
collection and use the photoz example as a model.   In my Postman script, I
want to access photoz-restful-api but I'm still getting 403 error.  The
photoz example does work when I use my web browser.

Here's what I did:

I added a postman client in keycloak under the photoz realm:

Client Id: postman
Protocol: openid-connect
Access Type: public
Direct Access enabled: ON

In Postman, I created 2 requests, one to get a token and the other one to
retrieve the list of album for the jdoe user

Here are the 2 requests:

POST http://localhost:8080/auth/realms/photoz/protocol/openid-connect/token
Content-Type:"application/x-www-form-urlencoded"

with the following body:

client_id:postman
grant_type:password
username:jdoe
password:jdoe

I'm receiving a this response: (token truncated for readability)

{
  "access_token": "eyJhbGciOiJS...",
  "expires_in": 300,
  "refresh_expires_in": 1800,
  "refresh_token": "eyJhbGciOiJS...,
  "token_type": "bearer",
  "id_token": "eyJhbGciOiJSUzI1N...",
  "not-before-policy": 0,
  "session_state": "cf71f9c6-78cc-4a41-8026-aca4eb86c9cd"
}

In the Tests tab of the request (still in postman), I extracted the access
token out of the response like this:

var tokens=JSON.parse(responseBody);
postman.setGlobalVariable("kcAccessToken", tokens.access_token);

===============

Here's how I created the GET album request

GET http://localhost:8080/photoz-restful-api/album/

Headers:
key=Authorization
value=Bearer {{kcAccessToken}}

I'm getting a 403 Forbidden error.


I obviously do something wrong.  Can anybody please tell me what I do wrong?

Thanks,
Stephane

More information about the keycloak-user mailing list