[keycloak-user] Access Forbidden
Aaron Echols
aechols at bfcsaz.com
Fri Apr 5 12:21:33 EDT 2019
Alright, I guess I'm doing another upgrade. Thanks. :)
--
*Aaron Echols*
On Fri, Apr 5, 2019 at 6:16 AM Pedro Igor Silva <psilva at redhat.com> wrote:
> Hi, this was an issue that was fixed in 5.0.0. You are not the first one
> to query this :)
>
> On Thu, Apr 4, 2019 at 8:23 PM Aaron Echols <aechols at bfcsaz.com> wrote:
>
>> Ok, so further testing shows:
>>
>> Assigning `manage-users` Role doesn't work, assigning `manage-realm` role
>> does allow them to login to the Security Console, applying `manage-users`
>> role lets them reset passwords. This isn't a good solution though, since
>> they get access to settings that they shouldn't be able to access.
>>
>> Seems like the role got broken during the upgrade possibly. Is there a way
>> to reset or reinstall a role?
>> --
>> *Aaron Echols*
>>
>> On Thu, Apr 4, 2019 at 4:02 PM Aaron Echols <aechols at bfcsaz.com> wrote:
>>
>> > Hello All,
>> >
>> > I was running 4.1.0.Final and decided to upgrade this week to
>> 4.8.3.Final.
>> > I'm running into an issue where we set a group up with the
>> `manage-users`
>> > Role Mapping. In 4.1.0.Final, the members of said group were able to
>> login
>> > and reset passwords for users successfully in the realm they are in.
>> >
>> > Now when they attempt to access the Security Admin Console under
>> > Applications in their profile, they get the following message on the
>> user
>> > side:
>> >
>> > Forbidden
>> > You don't have access to the requested resource.
>> >
>> > All I see in the Events log:
>> >
>> > LOGIN
>> > Client: security-admin-console
>> > User: <identifier>
>> > IP Address: <local-ip>
>> > Details:
>> > auth_method: openid-connect
>> > auth_type: code
>> > response_type: code
>> > redirect_uri: /auth/admin/realm/console/
>> > consent: no_consent_required
>> > code_id: <code-id>
>> > response_mode: fragment
>> > username: <username>
>> >
>> > CODE_TO_TOKEN
>> > Client: security-admin-console
>> > User: <identifier>
>> > Details:
>> > token_id: <token-id>
>> > grant_type: authorization_code
>> > refresh_token_type: refresh
>> > scope: openid
>> > refresh_token_id: <refresh-token-id>
>> > code_id: <code-id>
>> > client_auth_method: client-secret
>> >
>> > I've verified that they have the proper roles assigned, why isn't this
>> > working now and anyone have any help to be able to troubleshoot?
>> >
>> > Thanks in advance for any help or recommendations. :)
>> > --
>> > *Aaron Echols*
>> >
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
More information about the keycloak-user
mailing list