[keycloak-user] Access Forbidden
Pedro Igor Silva
psilva at redhat.com
Fri Apr 5 09:16:41 EDT 2019
Hi, this was an issue that was fixed in 5.0.0. You are not the first one to
query this :)
On Thu, Apr 4, 2019 at 8:23 PM Aaron Echols <aechols at bfcsaz.com> wrote:
> Ok, so further testing shows:
>
> Assigning `manage-users` Role doesn't work, assigning `manage-realm` role
> does allow them to login to the Security Console, applying `manage-users`
> role lets them reset passwords. This isn't a good solution though, since
> they get access to settings that they shouldn't be able to access.
>
> Seems like the role got broken during the upgrade possibly. Is there a way
> to reset or reinstall a role?
> --
> *Aaron Echols*
>
> On Thu, Apr 4, 2019 at 4:02 PM Aaron Echols <aechols at bfcsaz.com> wrote:
>
> > Hello All,
> >
> > I was running 4.1.0.Final and decided to upgrade this week to
> 4.8.3.Final.
> > I'm running into an issue where we set a group up with the `manage-users`
> > Role Mapping. In 4.1.0.Final, the members of said group were able to
> login
> > and reset passwords for users successfully in the realm they are in.
> >
> > Now when they attempt to access the Security Admin Console under
> > Applications in their profile, they get the following message on the user
> > side:
> >
> > Forbidden
> > You don't have access to the requested resource.
> >
> > All I see in the Events log:
> >
> > LOGIN
> > Client: security-admin-console
> > User: <identifier>
> > IP Address: <local-ip>
> > Details:
> > auth_method: openid-connect
> > auth_type: code
> > response_type: code
> > redirect_uri: /auth/admin/realm/console/
> > consent: no_consent_required
> > code_id: <code-id>
> > response_mode: fragment
> > username: <username>
> >
> > CODE_TO_TOKEN
> > Client: security-admin-console
> > User: <identifier>
> > Details:
> > token_id: <token-id>
> > grant_type: authorization_code
> > refresh_token_type: refresh
> > scope: openid
> > refresh_token_id: <refresh-token-id>
> > code_id: <code-id>
> > client_auth_method: client-secret
> >
> > I've verified that they have the proper roles assigned, why isn't this
> > working now and anyone have any help to be able to troubleshoot?
> >
> > Thanks in advance for any help or recommendations. :)
> > --
> > *Aaron Echols*
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list