[keycloak-user] Keycloak Istio RBAC returns 403 Forbidden
Kannan K R
kannan.k at kiwitech.com
Tue Nov 12 10:17:36 EST 2019
Hi All
I’m trying to authorize my users using their roles. Here is my JWT from
Keycloak
{
"jti": "f9f5af0c-b187-4510-8302-d2d553c3bdee",
"exp": 1573594538,
"nbf": 0,
"iat": 1573558569,
"iss": "https://kc.krk.wtf/auth/realms/K2",
"aud": "account",
"sub": "920fadc1-5a30-4d94-8604-8bd14cea2685",
"typ": "Bearer",
"azp": "ufinity",
"auth_time": 1573558538,
"session_state": "c5679b6d-fc0e-4536-abc2-3533e6ba8c85",
"acr": "1",
"realm_access": {
"roles": [
"provider",
"offline_access",
"uma_authorization"
]
},
"resource_access": {
"ufinity": {
"roles": [
"provider1"
]
},
"account": {
"roles": [
"manage-account",
"manage-account-links",
"view-profile"
]
}
},
"scope": "openid email profile",
"email_verified": false,
"name": "Kannan2 Provider",
"preferred_username": "kannan2",
"given_name": "Kannan2",
"family_name": "Provider",
"email": "kannan2 at yopmail.com"
}
My Authorization yaml files are as follows:
apiVersion: "rbac.istio.io/v1alpha1"
kind: ClusterRbacConfig
metadata:
name: default
spec:
mode: 'ON_WITH_INCLUSION'
inclusion:
services:
- "record.default.svc.cluster.local"
---
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRole
metadata:
name: regular-user
namespace: default
spec:
rules:
- services:
- "record"
paths: ["/users/*"]
methods: ["GET"]
---
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRoleBinding
metadata:
name: regular-user-binding
namespace: default
spec:
subjects:
- user: "*"
roleRef:
kind: ServiceRole
name: "regular-user"
---
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRole
metadata:
name: provider-role
namespace: default
spec:
rules:
- services: ["*"]
paths: ["*"]
methods: ["*"]
---
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRoleBinding
metadata:
name: provider-role-binding
namespace: default
spec:
subjects:
- properties:
request.auth.claims[roles]: "provider1"
roleRef:
kind: ServiceRole
name: "provider-role"
I’m always getting 403 forbidden response.
Please let me know what am I doing wrong here. Or please point me to a
documentation
Thanks in advance
-Kannan
--
************************************************************************
This e-mail and all attachments are intended solely for use by
the intended
recipient and may contain confidential / proprietary information
of
KiwiTech, LLC, subject to important disclaimers and conditions including
restrictions on the use, disclosure, transfer or export of such
information. If you have received this
message in error or are not the
named recipient(s), please immediately notify
the sender at the telephone
number stated above or by reply e-mail and delete
this e-mail from your
computer
More information about the keycloak-user
mailing list