[keycloak-user] Using postman to test keycloak protected app

Pedro Igor Silva psilva at redhat.com
Mon Mar 20 18:36:13 EDT 2017


Hi Stephane,

You are missing the step that actually obtain the token with the user
permissions. Please, take a look at Authorization API[1]. That PhotoZ
example is using UMA. When using this protocol, you need some additional
steps in order to obtain the RPT (the token with permissions) from the
server and use it to call your protected resources.

I would suggest you to check network calls using your browser or you can
also try to use the Entitlement API [1] directly. This API does not require
a permission ticket and only requires an access token to obtain the RPT.

[1]
https://www.keycloak.org/docs/3.0/authorization_services/topics/service/authorization/authorization-api.html
.
[2]
https://www.keycloak.org/docs/3.0/authorization_services/topics/service/entitlement/entitlement-api.html

1) Obtain a

Regards.
Pedro Igor

On Mon, Mar 20, 2017 at 5:48 PM, Stephane Granger <
stephane.granger at gmail.com> wrote:

> Hi,
>
> I'm having problems setting up a postman collection to test my REST APIs.
> I have first created the REST API without protecting it and test it with
> Postman without a problem.
>
> I then added protection with Keycloak and ran into issues with Postman (403
> error).   I wasn't sure if the problem was in my authorization
> configuration or in my Postman collection.  So, to make sure it wasn't an
> authorization configuration problem, I decided to create a Postman
> collection and use the photoz example as a model.   In my Postman script, I
> want to access photoz-restful-api but I'm still getting 403 error.  The
> photoz example does work when I use my web browser.
>
> Here's what I did:
>
> I added a postman client in keycloak under the photoz realm:
>
> Client Id: postman
> Protocol: openid-connect
> Access Type: public
> Direct Access enabled: ON
>
> In Postman, I created 2 requests, one to get a token and the other one to
> retrieve the list of album for the jdoe user
>
> Here are the 2 requests:
>
> POST http://localhost:8080/auth/realms/photoz/protocol/openid-
> connect/token
> Content-Type:"application/x-www-form-urlencoded"
>
> with the following body:
>
> client_id:postman
> grant_type:password
> username:jdoe
> password:jdoe
>
> I'm receiving a this response: (token truncated for readability)
>
> {
>   "access_token": "eyJhbGciOiJS...",
>   "expires_in": 300,
>   "refresh_expires_in": 1800,
>   "refresh_token": "eyJhbGciOiJS...,
>   "token_type": "bearer",
>   "id_token": "eyJhbGciOiJSUzI1N...",
>   "not-before-policy": 0,
>   "session_state": "cf71f9c6-78cc-4a41-8026-aca4eb86c9cd"
> }
>
> In the Tests tab of the request (still in postman), I extracted the access
> token out of the response like this:
>
> var tokens=JSON.parse(responseBody);
> postman.setGlobalVariable("kcAccessToken", tokens.access_token);
>
> ===============
>
> Here's how I created the GET album request
>
> GET http://localhost:8080/photoz-restful-api/album/
>
> Headers:
> key=Authorization
> value=Bearer {{kcAccessToken}}
>
> I'm getting a 403 Forbidden error.
>
>
> I obviously do something wrong.  Can anybody please tell me what I do
> wrong?
>
> Thanks,
> Stephane
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


More information about the keycloak-user mailing list