I have setup authentication with keycloak 4.1 successfully. Now I am setting up authorization.
NOTE:
Post might seem longer than it actually is as it contains lot of images that show configuration. Also already referred following SO posts:
wildfly integration with keycloak 403 forbidden error
403 Forbidden error, while access the ClientRepresentation in keycloack
Keycloak 403 (Forbidden) on Keycloak.loadUserProfile()
wildfly integration with keycloak 403 forbidden error
UPDATE:
I created another resource (i.e. undeleted default resource which gets auto created) with /*, and now 403 is not seen. But when I put a debugger in my application, I see that only this resource is present in the permissions list:
AuthorizationContext authzContext = keycloakSecurityContext.getAuthorizationContext();
java.util.List<Permission> pems = authzContext.getPermissions();
It contains only default resource i.e resource with /* , when it should contain the resource test_role_resource in the list as well. (in case the above configuration matches the permission,policy,role of user getting authentciated)
(Original Post) Issue:
With all the configuration(shared below), when I test using the evaluate option under authorization tab, result is permit:
But when I make a request to this resource through postman, I get 403.
CONFIGURATION:
1. Following the documentation, I created a realm role : role_special_user and created a user : user_special with this role and role user.
2. Next, my resource server / client is as shown below with full scope enabled:
3. Under authorization tab, I created a resource as shown below:
4. The role based policy is :
and is mapped to resource using following permission:
5. Now, keycloak json is:
{
"realm": "demo12",
"auth-server-url": "http://localhost:8180/auth",
"ssl-required": "none",
"resource": "server12",
"credentials": {
"secret": "XXXXXXX"
},
"confidential-port": 0,
"policy-enforcer": {}
}
6. And Keycloak Jetty adapter configuration is:
final String KEYCLOAK_JSON = Constants.KC_CONFIG_JSON_PATH;
InputStream is = Thread.currentThread().getContextClassLoader().getResourceAsStream(KEYCLOAK_JSON);
AdapterConfig keyCloakConfig;
ObjectMapper mapper = new ObjectMapper(new SystemPropertiesJsonParserFactory());
mapper.setSerializationInclusion(JsonInclude.Include.NON_DEFAULT);
keyCloakConfig = mapper.readValue(is, AdapterConfig.class);
KeycloakJettyAuthenticator kcAuthenticator = new KeycloakJettyAuthenticator();
keyCloakAuthenticator.setAdapterConfig(keyCloakConfig);
if(kcAuthenticator != null) {
ConstraintSecurityHandler securityHandler = new ConstraintSecurityHandler();
ConstraintMapping constraintMapping = new ConstraintMapping();
constraintMapping.setPathSpec("/*");
Constraint constraint = new Constraint();
constraint.setAuthenticate(true);
constraint.setRoles(new String[]{"**"});
constraintMapping.setConstraint(constraint);
securityHandler.addConstraintMapping(constraintMapping);
securityHandler.setAuthenticator(kcAuthenticator);
context.setSecurityHandler(securityHandler);
}
7. Also, the decoded jwt token sample is:
{
"jti": "XXXXXXX",
"exp": 1533798704,
"nbf": 0,
"iat": 1533798404,
"iss": "http://localhost:8180/auth/realms/demo12",
"aud": "server12",
"sub": "XXXXXXX",
"typ": "Bearer",
"azp": "server12",
"auth_time": 1533798404,
"session_state": "XXXXXX",
"acr": "1",
"allowed-origins": [],
"realm_access": {
"roles": [
"role_special_user",
"offline_access",
"uma_authorization",
"user"
]
},
"resource_access": {
"server12": {
"roles": [
"uma_protection"
]
},
"account": {
"roles": [
"manage-account",
"manage-account-links",
"view-profile"
]
}
},
"scope": "openid email profile",
"email_verified": false,
"preferred_username": "user_special"
}
Which part of configuration is wrong which is leading to 403 error?







KeycloakJettyAuthenticator kcAuthenticator = KeyCloakConfig;mean? What isKeyCloakConfig? It looks like it shouldn't even compile. - banan3'14