403 errors with keycloak API

0
votes

I'm trying to use the Keycloak API (in node via keycloak-admin library) but I systematically get error 403.

I get successfully an access token via the library; by calling /auth/realms/master/protocol/openid-connect/token (on master realm) .

When I look inside my token, I seem to have the correct roles to be able to query the users :

{ "jti": "xx-..", "exp": 1585561478, "nbf": 0, "iat": 1585561418, "iss": "https://auth-mycompany.com/auth/realms/master", "aud": "mycompany-realm", "sub": "xx-..", "typ": "Bearer", "azp": "admin-cli", "auth_time": 0, "session_state": "xx-..", "acr": "1", "resource_access": { "mycompany-realm": { "roles": [ "view-users", "query-groups", "query-users" ] } }, "scope": "email profile", "email_verified": true, "name": "myname", "preferred_username": "myname", "given_name": "my name", "email": "[email protected]" }

However , when I do a GET on https://auth-mycompany.com/auth/admin/realms/master/users or https://auth-mycompany.com/auth/admin/realms/mycompany/users ; I get 403 errors.

Maybe it's linked with the "aud" of my token ? Why do I get a token with "aud": "mycompany-realm" when I query master realm ?

Thanks for any help.

1
realmkeycloak
aud means audience field of access token so nothing wrong on that.Get the token from master realm and fire same query again and see its working or not.Subodh Joshi
I thought I had the token from the master realm already ... why do you think it is not a token from the master realm ? On the keycloak logs, I can see the corresponding LOGIN event on the master realm.Hermine
Right Token from the right realm ,How much the life for token?Subodh Joshi
the token is one minute long; it is not expired when I call the /users endpoint ..Hermine
So your no any Single rest-api working with this token? If not try with admin-cli tool if you able to create a new Realm or user?Subodh Joshi

1 Answers

-1
votes

I eventually realize that this is due to the fact that I have implemented Port Restriction for admin endpoints. As described in the documentation, all endpoints starting with /auth/admin get a 403 response. Instead, these endpoints are accessible via another port (for example 9991) which is not accessible over the internet.

What I did to fix my issue : because both my Nodejs service and my keycloak server are running on the same kubernetes cluster, I change the authUrl of my keycloak server with its service name http://servicename.namespace.svc.cluster.local:9991/auth