[keycloak-user] keycloak 403 forbidden error while accessing rest resource where as evaluate api shows permit

keycloak demo testoauth55 at gmail.com
Mon Aug 20 02:37:21 EDT 2018 

Pedro,

Yes default permissions grant access to any resource in my application (uri
== /*). But problem starts when I specify a resource with specific URI (as
described in configuration in my previous email and also here:
*https://stackoverflow.com/questions/51761779/keycloak-403-forbidden-error-while-accessing-rest-resource-where-as-evaluate-api
<https://stackoverflow.com/questions/51761779/keycloak-403-forbidden-error-while-accessing-rest-resource-where-as-evaluate-api>*
).

Just to summarize the real problem:

Apart from default resource having `/*`, I have a second resource having
URI:   /secure/role/*  and this resource also has a role based policy to
allow access to only users having role "special", the expected behavior is
the users who don't have role "special" should not be able to access this
resource, right?

But I am able to access this resource with any user, any role. So I thought
that may be default resource URI with '/*' is overriding behavior of second
resource, so I changed default resource URI to '/test/*', and then I
started receiving 403 error for accessing both '/test' as well as second
resource ' /secure/role/*  ' for all users including user with "special"
role assigned.

I looked into realm resource configuration in one of the quick starts and
the only difference I found was that quick start resources specify scope in
each of resources whereas I have kept it blank. Could this be an issue.

I understand you already spent time in trying to resolve this but problem
still persists.

On Fri, Aug 17, 2018 at 5:11 PM, Pedro Igor Silva <psilva at redhat.com> wrote:

>
>
> On Fri, Aug 17, 2018 at 4:40 AM, keycloak demo <testoauth55 at gmail.com>
> wrote:
>
>> Pedro,
>>
>> After further debugging I found out that following line in keycloak json
>> is causing the issue:  "policy-enforcer": {}. If I remove this line,
>> then 403 error is removed but I guess doing this disables authorization
>> altogether. 2 questions on this:
>> 1. When I have configured policies on the Admin console under the
>> authorization tab, why is this empty?
>>
>
> I'm not sure. When you enable authorization services to a client default
> resource/permissions are created. Where these permissions grant access to
> any resource in your application (uri == /*).
>
>
>> 2. Is there a way to put some default values (not manually) in here to
>> make authorization work?
>>
>
> Like I said, when you just enable the authorization services switch,
> default settings are created automatically.
>
> Did you try to run any of our quickstarts ?
>
>
>
>>
>> On Fri, Aug 10, 2018 at 5:17 PM, Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>>> Yeah, it should be relative. I was wondering if the correct URI would be
>>> '/keycloak/secure/role' instead.
>>>
>>> In any case, I would ask you to try the same deployment using tomcat or
>>> wildfly to see how it goes. We have a few quickstarts running on these two.
>>> Maybe you could also try to enable DEBUG log level to see how the policy
>>> enforcer is matching URIs to your resources.
>>>
>>> If none of them work, I can give a try and run jetty.
>>>
>>> Regards.
>>> Pedro Igor
>>>
>>> On Fri, Aug 10, 2018 at 12:31 AM, keycloak demo <testoauth55 at gmail.com>
>>> wrote:
>>>
>>>> Pedro, thanks for replying. I tried putting the absolute URI,but it
>>>> does not work either. The documentation anyway states that the URI in
>>>> resource can be relative to client root URL which I have configured to be
>>>> http://localhost:7200/{app}/keycloak , therefore putting  relateve URI
>>>> '/secure/role' in resource should be equivalent to putting absolute
>>>> URI :    http://localhost:7200/{app}/keycloak/secure/role'. Do you
>>>> think, there is something else I can try?
>>>>
>>>> On Thu, Aug 9, 2018 at 6:01 PM, Pedro Igor Silva <psilva at redhat.com>
>>>> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> Your configuration looks correct. But I noticed that in the postman
>>>>> request you are sending requests to `http://localhost:7200/{app}/k
>>>>> eycloak/secure/role`
>>>>> <http://localhost:7200/%7Bapp%7D/keycloak/secure/role>. However in
>>>>> your resource definition the URI is configured to `/secure/role`. Both URIs
>>>>> should match otherwise the adapter won't be able to map the URI in your
>>>>> application to a resource in Keycloak (and related permissions).
>>>>>
>>>>> Regards.
>>>>> Pedro Igor
>>>>>
>>>>> On Thu, Aug 9, 2018 at 5:56 AM, keycloak demo <testoauth55 at gmail.com>
>>>>> wrote:
>>>>>
>>>>>> With all the configuration(shared below), when I test using the
>>>>>> evaluate
>>>>>> option under authorization tab, result is permit:
>>>>>>
>>>>>> *But when I make a request to this resource through postman, I get
>>>>>> 403.*
>>>>>>
>>>>>> *Which part of configuration is wrong which is leading to 403 error?*
>>>>>>
>>>>>> CONFIGURATION:
>>>>>>
>>>>>>
>>>>>> *Detailed configuration with images shown here:*
>>>>>>
>>>>>> *https://stackoverflow.com/questions/51761779/keycloak-403-f
>>>>>> orbidden-error-while-accessing-rest-resource-where-as-evaluate-api
>>>>>> <https://stackoverflow.com/questions/51761779/keycloak-403-f
>>>>>> orbidden-error-while-accessing-rest-resource-where-as-evaluate-api>*
>>>>>>
>>>>>> *1.* Following the  <goog_1387888133>
>>>>>> https://www.keycloak.org/docs/4.2/authorization_services/ , I
>>>>>> created a
>>>>>> realm role : *role_special_user* and created a user : *user_special*
>>>>>> with
>>>>>> this role and role *user*.
>>>>>>
>>>>>> *2.* Next, my resource server / client is with *full scope enabled*:
>>>>>> *3.* Under authorization tab, I created a resource  with the role
>>>>>> based
>>>>>> policy is.
>>>>>>
>>>>>> *4.* Now, keycloak json is:
>>>>>>
>>>>>> {
>>>>>>   "realm": "demo12",
>>>>>>   "auth-server-url": "http://localhost:8180/auth",
>>>>>>   "ssl-required": "none",
>>>>>>   "resource": "server12",
>>>>>>   "credentials": {
>>>>>>     "secret": "XXXXXXX"
>>>>>>   },
>>>>>>   "confidential-port": 0,
>>>>>>   "policy-enforcer": {}}
>>>>>>
>>>>>> *5.* And Keycloak Jetty adapter configuration is:
>>>>>>
>>>>>> final String KEYCLOAK_JSON = Constants.KC_CONFIG_JSON_PATH;
>>>>>> InputStream is =
>>>>>> Thread.currentThread().getContextClassLoader().getResourceAs
>>>>>> Stream(KEYCLOAK_JSON);AdapterConfig
>>>>>> keyCloakConfig;ObjectMapper mapper = new ObjectMapper(new
>>>>>> SystemPropertiesJsonParserFactory());
>>>>>> mapper.setSerializationInclusion(JsonInclude.Include.NON_DEFAULT);
>>>>>> keyCloakConfig = mapper.readValue(is, AdapterConfig.class);
>>>>>> KeycloakJettyAuthenticator kcAuthenticator =
>>>>>> KeyCloakConfig;if(kcAuthenticator != null) {
>>>>>>     ConstraintSecurityHandler securityHandler = new
>>>>>> ConstraintSecurityHandler();
>>>>>>     ConstraintMapping constraintMapping = new ConstraintMapping();
>>>>>>     constraintMapping.setPathSpec("/*");
>>>>>>     Constraint constraint = new Constraint();
>>>>>>     constraint.setAuthenticate(true);
>>>>>>     constraint.setRoles(new String[]{"**"});
>>>>>>     constraintMapping.setConstraint(constraint);
>>>>>>     securityHandler.addConstraintMapping(constraintMapping);
>>>>>>     securityHandler.setAuthenticator(kcAuthenticator);
>>>>>>     context.setSecurityHandler(securityHandler);}
>>>>>>
>>>>>> *6.* Also, the decoded jwt token sample is:
>>>>>>
>>>>>> {
>>>>>>   "jti": "XXXXXXX",
>>>>>>   "exp": 1533798704,
>>>>>>   "nbf": 0,
>>>>>>   "iat": 1533798404,
>>>>>>   "iss": "http://localhost:8180/auth/realms/demo12",
>>>>>>   "aud": "server12",
>>>>>>   "sub": "XXXXXXX",
>>>>>>   "typ": "Bearer",
>>>>>>   "azp": "server12",
>>>>>>   "auth_time": 1533798404,
>>>>>>   "session_state": "XXXXXX",
>>>>>>   "acr": "1",
>>>>>>   "allowed-origins": [],
>>>>>>   "realm_access": {
>>>>>>     "roles": [
>>>>>>       "role_special_user",
>>>>>>       "offline_access",
>>>>>>       "uma_authorization",
>>>>>>       "user"
>>>>>>     ]
>>>>>>   },
>>>>>>   "resource_access": {
>>>>>>     "server12": {
>>>>>>       "roles": [
>>>>>>         "uma_protection"
>>>>>>       ]
>>>>>>     },
>>>>>>     "account": {
>>>>>>       "roles": [
>>>>>>         "manage-account",
>>>>>>         "manage-account-links",
>>>>>>         "view-profile"
>>>>>>       ]
>>>>>>     }
>>>>>>   },
>>>>>>   "scope": "openid email profile",
>>>>>>   "email_verified": false,
>>>>>>   "preferred_username": "user_special"}
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>

More information about the keycloak-user mailing list