[keycloak-user] Keycloak Istio RBAC returns 403 Forbidden

Kannan K R kannan.k at kiwitech.com
Tue Nov 12 10:17:36 EST 2019 

Hi All

I’m trying to authorize my users using their roles. Here is my JWT from
Keycloak

{
  "jti": "f9f5af0c-b187-4510-8302-d2d553c3bdee",
  "exp": 1573594538,
  "nbf": 0,
  "iat": 1573558569,
  "iss": "https://kc.krk.wtf/auth/realms/K2",
  "aud": "account",
  "sub": "920fadc1-5a30-4d94-8604-8bd14cea2685",
  "typ": "Bearer",
  "azp": "ufinity",
  "auth_time": 1573558538,
  "session_state": "c5679b6d-fc0e-4536-abc2-3533e6ba8c85",
  "acr": "1",
  "realm_access": {
"roles": [
  "provider",
  "offline_access",
  "uma_authorization"
]
  },
  "resource_access": {
"ufinity": {
  "roles": [
    "provider1"
  ]
},
"account": {
  "roles": [
    "manage-account",
    "manage-account-links",
    "view-profile"
  ]
}
  },
  "scope": "openid email profile",
  "email_verified": false,
  "name": "Kannan2 Provider",
  "preferred_username": "kannan2",
  "given_name": "Kannan2",
  "family_name": "Provider",
  "email": "kannan2 at yopmail.com"
}

My Authorization yaml files are as follows:

apiVersion: "rbac.istio.io/v1alpha1"
kind: ClusterRbacConfig
metadata:
  name: default
spec:
  mode: 'ON_WITH_INCLUSION'
  inclusion:
    services:
    - "record.default.svc.cluster.local"
---
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRole
metadata:
  name: regular-user
  namespace: default
spec:
  rules:
  - services:
    - "record"
    paths: ["/users/*"]
    methods: ["GET"]
---
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRoleBinding
metadata:
  name: regular-user-binding
  namespace: default
spec:
  subjects:
  - user: "*"
  roleRef:
    kind: ServiceRole
    name: "regular-user"
---
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRole
metadata:
  name: provider-role
  namespace: default
spec:
  rules:
  - services: ["*"]
    paths: ["*"]
    methods: ["*"]
---
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRoleBinding
metadata:
  name: provider-role-binding
  namespace: default
spec:
  subjects:
  - properties:
      request.auth.claims[roles]: "provider1"
  roleRef:
    kind: ServiceRole
    name: "provider-role"

I’m always getting 403 forbidden response.

Please let me know what am I doing wrong here. Or please point me to a
documentation

Thanks in advance
-Kannan

-- 






************************************************************************


This e-mail and all attachments are intended solely for use by
the intended 
recipient and may contain confidential / proprietary information
of 
KiwiTech, LLC, subject to important disclaimers and conditions including

restrictions on the use, disclosure, transfer or export of such 
information. If you have received this
message in error or are not the 
named recipient(s), please immediately notify
the sender at the telephone 
number stated above or by reply e-mail and delete
this e-mail from your 
computer

More information about the keycloak-user mailing list