[keycloak-user] Access Forbidden

Aaron Echols aechols at bfcsaz.com
Sat Apr 6 14:06:33 EDT 2019


So it does work giving the group the following permissions:

   - `view-users`
   - `manage-users`

Not sure if this is the intended behaviour or not, but it does work. The
way it worked previously was just adding `manage-users` and they could do
what they needed to. Thanks. :)
--
*Aaron Echols*

On Sat, Apr 6, 2019 at 10:41 AM Aaron Echols <aechols at bfcsaz.com> wrote:

> Upgrading to 5.0.0 doesn't resolve the issue. I reduced the roles on the
> users group to `manage-users` and its' members forbidden access on the
> Security Admin Console.
> --
> *Aaron Echols*
> Systems Architect (IT)
> Benjamin Franklin Charter School | IT
> Email: aechols at bfcsaz.com
> Phone: (480) 677-8400
> Website: http://www.bfcsaz.com
> IT Website: https://it.bfcsaz.com
> Support Email: techsupport at bfcsaz.com
> Support Portal: https://bfcs.freshservice.com/support/home
> Common Questions: https://bfcs.freshservice.com/support/solutions
> Forgot your password: https://accounts.bfcsaz.com
>
> <https://www.facebook.com/bfcsaz/>  <https://twitter.com/bfcs_k12>
> <https://www.instagram.com/bfcs_k12>
>
>
> *CONFIDENTIALITY NOTICE: This e-mail message, including any attachments,
> is for the sole use of the intended recipient(s) and may contain
> confidential and privileged information. Any unauthorized review, copy,
> use, disclosure, or distribution is prohibited. If you are not the intended
> recipient, please contact the sender by reply e-mail and destroy all copies
> of the original message.
>
>
> On Fri, Apr 5, 2019 at 6:16 AM Pedro Igor Silva <psilva at redhat.com> wrote:
>
>> Hi, this was an issue that was fixed in 5.0.0. You are not the first one
>> to query this :)
>>
>> On Thu, Apr 4, 2019 at 8:23 PM Aaron Echols <aechols at bfcsaz.com> wrote:
>>
>>> Ok, so further testing shows:
>>>
>>> Assigning `manage-users` Role doesn't work, assigning `manage-realm` role
>>> does allow them to login to the Security Console, applying `manage-users`
>>> role lets them reset passwords. This isn't a good solution though, since
>>> they get access to settings that they shouldn't be able to access.
>>>
>>> Seems like the role got broken during the upgrade possibly. Is there a
>>> way
>>> to reset or reinstall a role?
>>> --
>>> *Aaron Echols*
>>>
>>> On Thu, Apr 4, 2019 at 4:02 PM Aaron Echols <aechols at bfcsaz.com> wrote:
>>>
>>> > Hello All,
>>> >
>>> > I was running 4.1.0.Final and decided to upgrade this week to
>>> 4.8.3.Final.
>>> > I'm running into an issue where we set a group up with the
>>> `manage-users`
>>> > Role Mapping. In 4.1.0.Final, the members of said group were able to
>>> login
>>> > and reset passwords for users successfully in the realm they are in.
>>> >
>>> > Now when they attempt to access the Security Admin Console under
>>> > Applications in their profile, they get the following message on the
>>> user
>>> > side:
>>> >
>>> > Forbidden
>>> > You don't have access to the requested resource.
>>> >
>>> > All I see in the Events log:
>>> >
>>> > LOGIN
>>> > Client: security-admin-console
>>> > User: <identifier>
>>> > IP Address: <local-ip>
>>> > Details:
>>> > auth_method: openid-connect
>>> > auth_type: code
>>> > response_type: code
>>> > redirect_uri: /auth/admin/realm/console/
>>> > consent: no_consent_required
>>> > code_id: <code-id>
>>> > response_mode: fragment
>>> > username: <username>
>>> >
>>> > CODE_TO_TOKEN
>>> > Client: security-admin-console
>>> > User: <identifier>
>>> > Details:
>>> > token_id: <token-id>
>>> > grant_type: authorization_code
>>> > refresh_token_type: refresh
>>> > scope: openid
>>> > refresh_token_id: <refresh-token-id>
>>> > code_id: <code-id>
>>> > client_auth_method: client-secret
>>> >
>>> > I've verified that they have the proper roles assigned, why isn't this
>>> > working now and anyone have any help to be able to troubleshoot?
>>> >
>>> > Thanks in advance for any help or recommendations. :)
>>> > --
>>> > *Aaron Echols*
>>> >
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>


More information about the keycloak-user mailing list