Spring Boot - KeyCloak directed to 403 forbidden

Question

I am new to Keycloak, I am using the official tutorial project on https://github.com/sebastienblanc/spring-boot-keycloak-tutorial

for integrating with Springboot application, I have setup the KeyCloak server successfully and the spring boot application also directing to the client application I have created on the Realm I have created on KeyCloak, after providing the correct credentials it directs to the forbidden page.

@Controller
class ProductController {

@GetMapping(path = "/products")
public String getProducts(Model model){
    model.addAttribute("products", Arrays.asList("iPad","iPhone","iPod"));
    return "products";
}

@GetMapping(path = "/logout")
public String logout(HttpServletRequest request) throws ServletException {
    request.logout();
    return "/";
}
}

Application.properties file

keycloak.auth-server-url=http://localhost:8080/auth
keycloak.realm=springdemo
keycloak.resource=product-app
keycloak.public-client=true

keycloak.security-constraints[0].authRoles[0]=testuser
keycloak.security-
constraints[0].securityCollections[0].patterns[0]=/products/*

server.port=8081

I am not getting any error message from KeyCloak console or spring embedded tomcat console.

Check the tomcat console here - no error

Thank you.

Answer 1

I think you have a typo at keycloak.security-constraints[0].authRoles[0]=testuser , you should specify the role here and not the user. If you follow the blogpost instructions it should be : keycloak.security-constraints[0].authRoles[0]=user

Answer 2

In my case here I set use-resource-role-mappings to true, considering that it would provide both realm and client roles, but it turns out that if this option is set to true, only client roles are considered.

AFAICS, there is no way to use both.

Answer 3

I had the same issue and the problem was that I was using variables separated by dashes, instead of camel case. For example, I had this (incorrect):

keycloak:
  auth-server-url: http://localhost:8083/auth
  realm: springdemo
  resource: Resource_Name
  public-client: true
  security-constraints[0].auth-roles[0]: user
  security-constraints[0].security-collections[0].patterns[0]: /

instead of (correct):

keycloak:
  authServerUrl: http://localhost:8083/auth
  realm: springdemo
  resource: Resource_Name
  publicClient: true
  securityConstraints[0].authRoles[0]: user
  securityConstraints[0].securityCollections[0].patterns[0]: /