[keycloak-user] AccessToken authorization is always null using Jetty adapter
Pedro Igor Silva
psilva at redhat.com
Mon Mar 27 08:00:30 EDT 2017
Hi Gabriel,
I need to check this out. It has been a while from last time I checked
AuthZ with Jetty.
Regards.
Pedro Igor
On Fri, Mar 24, 2017 at 8:22 PM, Gabriel Trisca <gtrisca at cignifi.com> wrote:
> Hello,
>
> I'm attempting to set up resource permission enforcement on a simple
> Dropwizard application (Jersey->Jetty).
>
> I believe the PolicyEnforcer is set up correctly, because I see debugging
> info along these lines:
>
> DEBUG [19:04:23.574] [dw-41] o.k.a.PreAuthActionsHandler - adminRequest
> http://localhost:9090/v1/XXXX
> DEBUG [19:04:23.601] [dw-41] o.k.a.j.c.JettyRequestAuthenticator -
> Completing bearer authentication. Bearer roles: [uma_authorization]
> DEBUG [19:04:23.601] [dw-41] o.k.a.RequestAuthenticator - User
> 'c9e8208e-56f5-42e0-9efb-f8d05600f5de' invoking '
> http://localhost:9090/v1/XXXX' on client 'XXXX-api'
> DEBUG [19:04:23.601] [dw-41] o.k.a.RequestAuthenticator - Bearer
> AUTHENTICATED
> DEBUG [19:04:27.781] [dw-41] o.k.a.AuthenticatedActionsHandler -
> AuthenticatedActionsValve.invoke http://localhost:9090/v1/XXXX
> DEBUG [19:04:30.341] [dw-41] o.k.a.a.PolicyEnforcer - Policy enforcement
> is enable. Enforcing policy decisions for path [
> http://localhost:9090/v1/XXXX].
> DEBUG [19:05:22.741] [dw-41] o.k.a.a.AbstractPolicyEnforcer - Checking
> permissions for path [http://localhost:9090/v1/XXXX] with config
> [PathConfig{name='XXXX Resources', type='uma:XXXXXX', path='/v1/XXXX/*',
> scopes=[], id='43bd3cdf-c15b-487a-a259-79e8de00d764',
> enforcerMode='ENFORCING'}].
> DEBUG [19:11:56.719] [dw-41] o.k.a.a.PolicyEnforcer - Policy enforcement
> result for path [http://localhost:9090/v1/XXXX] is : DENIED
> DEBUG [19:11:56.719] [dw-41] o.k.a.a.PolicyEnforcer - Returning
> authorization context with permissions:
> 127.0.0.1 - c9e8208e-56f5-42e0-9efb-f8d05600f5de [24/Mar/2017:23:11:56
> +0000] "GET /v1/XXXX HTTP/1.1" 401 0 "-" "Mozilla/5.0 (X11; Linux x86_64)
> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
> 453164
>
>
> Specifically, the error occurs when Keycloak attempts to retrieve an
> "Authorization" object from the AccessToken. This authorization object is
> always null and the permissions cannot be loaded.
>
> Without permissions, the request is marked as Unauthorized.
>
> Is there something that I'm missing here? As far as I know everything is
> configured correctly, I can evaluate policies on the Keycloak admin
> console, and the client is set up as access type "confidential". I can see
> the resource definitions from Keycloak being loaded when the app launches.
>
> Any help greatly appreciated.
>
> --
> *Gabriel Trisca, Software Developer*
> Cignifi | 101 Main Street, 14th Floor, Cambridge, MA 02142 USA
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list