I have setup authentication with keycloak 4.1 successfully. Now I am setting up authorization.
Post might seem longer than it actually is as it contains lot of images that show configuration. Also already referred following SO posts:
wildfly integration with keycloak 403 forbidden error
403 Forbidden error, while access the ClientRepresentation in keycloack
Keycloak 403 (Forbidden) on Keycloak.loadUserProfile()
Facing 403 Forbidden error
wildfly integration with keycloak 403 forbidden error
I created another resource (i.e. undeleted default resource which gets auto created) with /*
, and now 403 is not seen. But when I put a debugger in my application, I see that only this resource is present in the permissions list:
AuthorizationContext authzContext = keycloakSecurityContext.getAuthorizationContext();
java.util.List<Permission> pems = authzContext.getPermissions();
It contains only default resource i.e resource with /*
, when it should contain the resource test_role_resource in the list as well. (in case the above configuration matches the permission,policy,role of user getting authentciated)
With all the configuration(shared below), when I test using the evaluate option under authorization tab, result is permit:
But when I make a request to this resource through postman, I get 403.
1. Following the documentation, I created a realm role : role_special_user and created a user : user_special with this role and role user.
2. Next, my resource server / client is as shown below with full scope enabled:
3. Under authorization tab, I created a resource as shown below:
4. The role based policy is :
and is mapped to resource using following permission:
5. Now, keycloak json is:
{
"realm": "demo12",
"auth-server-url": "http://localhost:8180/auth",
"ssl-required": "none",
"resource": "server12",
"credentials": {
"secret": "XXXXXXX"
},
"confidential-port": 0,
"policy-enforcer": {}
}
6. And Keycloak Jetty adapter configuration is:
final String KEYCLOAK_JSON = Constants.KC_CONFIG_JSON_PATH;
InputStream is = Thread.currentThread().getContextClassLoader().getResourceAsStream(KEYCLOAK_JSON);
AdapterConfig keyCloakConfig;
ObjectMapper mapper = new ObjectMapper(new SystemPropertiesJsonParserFactory());
mapper.setSerializationInclusion(JsonInclude.Include.NON_DEFAULT);
keyCloakConfig = mapper.readValue(is, AdapterConfig.class);
KeycloakJettyAuthenticator kcAuthenticator = new KeycloakJettyAuthenticator();
keyCloakAuthenticator.setAdapterConfig(keyCloakConfig);
if(kcAuthenticator != null) {
ConstraintSecurityHandler securityHandler = new ConstraintSecurityHandler();
ConstraintMapping constraintMapping = new ConstraintMapping();
constraintMapping.setPathSpec("/*");
Constraint constraint = new Constraint();
constraint.setAuthenticate(true);
constraint.setRoles(new String[]{"**"});
constraintMapping.setConstraint(constraint);
securityHandler.addConstraintMapping(constraintMapping);
securityHandler.setAuthenticator(kcAuthenticator);
context.setSecurityHandler(securityHandler);
}
7. Also, the decoded jwt token sample is:
{
"jti": "XXXXXXX",
"exp": 1533798704,
"nbf": 0,
"iat": 1533798404,
"iss": "http://localhost:8180/auth/realms/demo12",
"aud": "server12",
"sub": "XXXXXXX",
"typ": "Bearer",
"azp": "server12",
"auth_time": 1533798404,
"session_state": "XXXXXX",
"acr": "1",
"allowed-origins": [],
"realm_access": {
"roles": [
"role_special_user",
"offline_access",
"uma_authorization",
"user"
]
},
"resource_access": {
"server12": {
"roles": [
"uma_protection"
]
},
"account": {
"roles": [
"manage-account",
"manage-account-links",
"view-profile"
]
}
},
"scope": "openid email profile",
"email_verified": false,
"preferred_username": "user_special"
}
Which part of configuration is wrong which is leading to 403 error?
This can be happened due to two reasons mainly,
2.If you have host your Keycloak in some server, Keep in mind that Keycloak now defaults to HTTPS for all external IP addresses.Till you are getting the SSL certificate to your server disable it in realm setting.
Access to db instance(Here I used PostgresQL)
docker exec -it /bin/bash
Then execute
psql -U YOUR_DB_USER -d YOUR_DB
Execute below command to check realm table.
select * from realm;
In realm table, ssl_required is EXTERNAL by default. Set it to NONE
update REALM set ssl_required='NONE' where id = 'YOUR_REALM_NAME';
Restart the keycloak instance and check the result
docker restart CONTAINER_ID
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With