[keycloak-user] keycloak 403 forbidden error while accessing rest resource where as evaluate api shows permit

Pedro Igor Silva psilva at redhat.com
Fri Aug 17 07:41:12 EDT 2018 

On Fri, Aug 17, 2018 at 4:40 AM, keycloak demo <testoauth55 at gmail.com>
wrote:

> Pedro,
>
> After further debugging I found out that following line in keycloak json
> is causing the issue:  "policy-enforcer": {}. If I remove this line, then
> 403 error is removed but I guess doing this disables authorization
> altogether. 2 questions on this:
> 1. When I have configured policies on the Admin console under the
> authorization tab, why is this empty?
>

I'm not sure. When you enable authorization services to a client default
resource/permissions are created. Where these permissions grant access to
any resource in your application (uri == /*).


> 2. Is there a way to put some default values (not manually) in here to
> make authorization work?
>

Like I said, when you just enable the authorization services switch,
default settings are created automatically.

Did you try to run any of our quickstarts ?



>
> On Fri, Aug 10, 2018 at 5:17 PM, Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> Yeah, it should be relative. I was wondering if the correct URI would be
>> '/keycloak/secure/role' instead.
>>
>> In any case, I would ask you to try the same deployment using tomcat or
>> wildfly to see how it goes. We have a few quickstarts running on these two.
>> Maybe you could also try to enable DEBUG log level to see how the policy
>> enforcer is matching URIs to your resources.
>>
>> If none of them work, I can give a try and run jetty.
>>
>> Regards.
>> Pedro Igor
>>
>> On Fri, Aug 10, 2018 at 12:31 AM, keycloak demo <testoauth55 at gmail.com>
>> wrote:
>>
>>> Pedro, thanks for replying. I tried putting the absolute URI,but it does
>>> not work either. The documentation anyway states that the URI in resource
>>> can be relative to client root URL which I have configured to be
>>> http://localhost:7200/{app}/keycloak , therefore putting  relateve URI '/secure/role'
>>> in resource should be equivalent to putting absolute URI :
>>> http://localhost:7200/{app}/keycloak/secure/role'. Do you think, there
>>> is something else I can try?
>>>
>>> On Thu, Aug 9, 2018 at 6:01 PM, Pedro Igor Silva <psilva at redhat.com>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> Your configuration looks correct. But I noticed that in the postman
>>>> request you are sending requests to `http://localhost:7200/{app}/k
>>>> eycloak/secure/role`
>>>> <http://localhost:7200/%7Bapp%7D/keycloak/secure/role>. However in
>>>> your resource definition the URI is configured to `/secure/role`. Both URIs
>>>> should match otherwise the adapter won't be able to map the URI in your
>>>> application to a resource in Keycloak (and related permissions).
>>>>
>>>> Regards.
>>>> Pedro Igor
>>>>
>>>> On Thu, Aug 9, 2018 at 5:56 AM, keycloak demo <testoauth55 at gmail.com>
>>>> wrote:
>>>>
>>>>> With all the configuration(shared below), when I test using the
>>>>> evaluate
>>>>> option under authorization tab, result is permit:
>>>>>
>>>>> *But when I make a request to this resource through postman, I get
>>>>> 403.*
>>>>>
>>>>> *Which part of configuration is wrong which is leading to 403 error?*
>>>>>
>>>>> CONFIGURATION:
>>>>>
>>>>>
>>>>> *Detailed configuration with images shown here:*
>>>>>
>>>>> *https://stackoverflow.com/questions/51761779/keycloak-403-f
>>>>> orbidden-error-while-accessing-rest-resource-where-as-evaluate-api
>>>>> <https://stackoverflow.com/questions/51761779/keycloak-403-f
>>>>> orbidden-error-while-accessing-rest-resource-where-as-evaluate-api>*
>>>>>
>>>>> *1.* Following the  <goog_1387888133>
>>>>> https://www.keycloak.org/docs/4.2/authorization_services/ , I created
>>>>> a
>>>>> realm role : *role_special_user* and created a user : *user_special*
>>>>> with
>>>>> this role and role *user*.
>>>>>
>>>>> *2.* Next, my resource server / client is with *full scope enabled*:
>>>>> *3.* Under authorization tab, I created a resource  with the role based
>>>>> policy is.
>>>>>
>>>>> *4.* Now, keycloak json is:
>>>>>
>>>>> {
>>>>>   "realm": "demo12",
>>>>>   "auth-server-url": "http://localhost:8180/auth",
>>>>>   "ssl-required": "none",
>>>>>   "resource": "server12",
>>>>>   "credentials": {
>>>>>     "secret": "XXXXXXX"
>>>>>   },
>>>>>   "confidential-port": 0,
>>>>>   "policy-enforcer": {}}
>>>>>
>>>>> *5.* And Keycloak Jetty adapter configuration is:
>>>>>
>>>>> final String KEYCLOAK_JSON = Constants.KC_CONFIG_JSON_PATH;
>>>>> InputStream is =
>>>>> Thread.currentThread().getContextClassLoader().getResourceAs
>>>>> Stream(KEYCLOAK_JSON);AdapterConfig
>>>>> keyCloakConfig;ObjectMapper mapper = new ObjectMapper(new
>>>>> SystemPropertiesJsonParserFactory());
>>>>> mapper.setSerializationInclusion(JsonInclude.Include.NON_DEFAULT);
>>>>> keyCloakConfig = mapper.readValue(is, AdapterConfig.class);
>>>>> KeycloakJettyAuthenticator kcAuthenticator =
>>>>> KeyCloakConfig;if(kcAuthenticator != null) {
>>>>>     ConstraintSecurityHandler securityHandler = new
>>>>> ConstraintSecurityHandler();
>>>>>     ConstraintMapping constraintMapping = new ConstraintMapping();
>>>>>     constraintMapping.setPathSpec("/*");
>>>>>     Constraint constraint = new Constraint();
>>>>>     constraint.setAuthenticate(true);
>>>>>     constraint.setRoles(new String[]{"**"});
>>>>>     constraintMapping.setConstraint(constraint);
>>>>>     securityHandler.addConstraintMapping(constraintMapping);
>>>>>     securityHandler.setAuthenticator(kcAuthenticator);
>>>>>     context.setSecurityHandler(securityHandler);}
>>>>>
>>>>> *6.* Also, the decoded jwt token sample is:
>>>>>
>>>>> {
>>>>>   "jti": "XXXXXXX",
>>>>>   "exp": 1533798704,
>>>>>   "nbf": 0,
>>>>>   "iat": 1533798404,
>>>>>   "iss": "http://localhost:8180/auth/realms/demo12",
>>>>>   "aud": "server12",
>>>>>   "sub": "XXXXXXX",
>>>>>   "typ": "Bearer",
>>>>>   "azp": "server12",
>>>>>   "auth_time": 1533798404,
>>>>>   "session_state": "XXXXXX",
>>>>>   "acr": "1",
>>>>>   "allowed-origins": [],
>>>>>   "realm_access": {
>>>>>     "roles": [
>>>>>       "role_special_user",
>>>>>       "offline_access",
>>>>>       "uma_authorization",
>>>>>       "user"
>>>>>     ]
>>>>>   },
>>>>>   "resource_access": {
>>>>>     "server12": {
>>>>>       "roles": [
>>>>>         "uma_protection"
>>>>>       ]
>>>>>     },
>>>>>     "account": {
>>>>>       "roles": [
>>>>>         "manage-account",
>>>>>         "manage-account-links",
>>>>>         "view-profile"
>>>>>       ]
>>>>>     }
>>>>>   },
>>>>>   "scope": "openid email profile",
>>>>>   "email_verified": false,
>>>>>   "preferred_username": "user_special"}
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>>
>>>
>>
>

More information about the keycloak-user mailing list