First of all I'm using
keycloak-authz-client-3.3.0.Final
spring boot 1.5.8.RELEASE
spring-boot-starter-security
I've been playing with Keycloak spring adapter exploring the examples since we want to adopt it to our project.
I was able to make it run for Roles easily using this tutorial:
https://dzone.com/articles/easily-secure-your-spring-boot-applications-with-k
After that I moved to permissions and that's when it gets trickier (that's also our main goal).
I want to achieve something like described in here (9.1.2):
http://www.keycloak.org/docs/2.4/authorization_services_guide/topics/enforcer/authorization-context.html#
To get permissions you need to setup in Keycloak Authorization, credentials, and then create Resources or Scopes and Policies to be able to create permissions (it took me a while but I got it working). Testing in the Evaluater everything seems fine.
Next step was to get user permissions on the Spring side. In order to do that I had to enable:
keycloak.policy-enforcer-config.enforcement-mode=permissive
The moment I enable this I get everytime this exception
java.lang.RuntimeException: Could not find resource.
at org.keycloak.authorization.client.resource.ProtectedResource.findAll(ProtectedResource.java:88)
at org.keycloak.adapters.authorization.PolicyEnforcer.configureAllPathsForResourceServer...
...
Caused by: org.keycloak.authorization.client.util.HttpResponseException:
Unexpected response from server: 403 / Forbidden
No matter what address I hit in the server.
So I started to investigate what was the root of the problem. Looking at some examples how to manually get the permissions I actually got them in postman with the following request:
http://localhost:8080/auth/realms/${myKeycloakRealm}/authz/entitlement/${MyKeycloakClient}
including the header Authorization : bearer ${accessToken}
response was {"rpt": ${jwt token}} that actually contains the permissions
So knowing this was working it must be something wrong with the Spring adapter. Investigating a bit further on the Keycloak exception I found that that error was occurring the moment the adapter was getting all the resources. For that it was using the following url:
http://localhost:28080/auth/realms/license/authz/protection/resource_set
with a different token in the headers (that I copied when debugging)
So when I tried it in postman I also got a 403 error, but with a json body:
{
"error": "invalid_scope",
"error_description": "Requires uma_protection scope."
}
I've enabled and disabled all uma configuration within keycloak and I can't make it work. Can please someone point me into the right direction?
Update
I've now updated Keycloak adapter to 3.4.0.final and I'm getting the following error in the UI:
Mon Nov 20 10:09:21 GMT 2017
There was an unexpected error (type=Internal Server Error, status=500).
Could not find resource. Server message: {"error":"invalid_scope","error_description":"Requires uma_protection scope."}
(Pretty much the same I was getting in the postman request)
I've also printed all the user roles to make sure the uma_protection role is there, and it is.
Another thing I did was to disable spring security role prefix to make sure it wasn't a mismatch on the role.
Update 2
Was able to resolve the 403 issue (you can see it in the response below).
Still getting problems obtaining KeycloakSecurityContext from the HttpServletRequest
Update 3
Was able to get KeycloakSecurityContext like this:
Principal principal = servletRequest.getUserPrincipal();
KeycloakAuthenticationToken token = (KeycloakAuthenticationToken) principal;
OidcKeycloakAccount auth = token.getAccount();
KeycloakSecurityContext keycloakSecurityContext = auth.getKeycloakSecurityContext();
AuthorizationContext authzContext = keycloakSecurityContext.getAuthorizationContext();
The problem now is that the AuthorizationContext is always null.
I've managed to get it working by adding uma_protection role to the Service Account Roles tab in Keycloak client configuration
More information about it here:
http://www.keycloak.org/docs/2.0/authorization_services_guide/topics/service/protection/whatis-obtain-pat.html
Second part of the solution:
It's mandatory to have the security constrains in place even if they don't mean much to you. Example:
keycloak.securityConstraints[0].authRoles[0] = ROLE1
keycloak.securityConstraints[0].securityCollections[0].name = protected
keycloak.securityConstraints[0].securityCollections[0].patterns[0] = /*
Useful demos:
https://github.com/keycloak/keycloak-quickstarts
This code works for me:
HttpServletRequest request = ...; // obtain javax.servlet.http.HttpServletRequest
Principal userPrincipal = request.getUserPrincipal();
KeycloakPrincipal < KeycloakSecurityContext > keycloakPrincipal =
(KeycloakPrincipal < KeycloakSecurityContext > ) userPrincipal;
KeycloakSecurityContext securityContext =
keycloakPrincipal.getKeycloakSecurityContext();
If you faced "java.lang.RuntimeException: Could not find resource" error and you are using Keycloak docker container, The error can be because of this. I dont have enough information about docker. Hence I download keycloak as a zip file and run it. It works properly.
Related
I am trying to create user with keycloak's /users endpoint in a spring boot project .
These are the steps I have followed
First created an admin in master realm and admin-cli client.
Used that to get instance of keycloak for further operations.
return Keycloak.getInstance(
keycloakProperties.getAuthServerUrl(),
"master",
adminConfig.getUserName(),
adminConfig.getPassword(),
"admin-cli");
I am able to get the user created if I don't add the client representation in user.
If I add the CredentialRepresentation inside the userRepresentation object ,I am getting the BadRequest error (400 code) without any details . I looked up the keycloak server logs that too wasnt helpful.
As a try,I did the user creation first and reset password later,then also user created,but unable to set password with reset-password endpoint (same error) .As mentioned in the documents,I have set the enabled property of userRepresentation to true.
Keycloak version : 12.0.4 ,Spring boot version : 2.1.6.RELEASE
I tried to read the entity from the response received, but failed in that too.
Any help to figure out the issue will e appreciated.
// Code for usercreation
UserRepresentation userRepresentation = new UserRepresentation();
userRepresentation.setUsername(userModel.getEmail());
userRepresentation.setEmail(userModel.getEmail());
userRepresentation.setCredentials(Arrays.asList(createPasswordCredentials(userModel.getPassword())));
userRepresentation.setEnabled(true);
Keycloak keycloak = getKeycloakInstance(keycloakProperties);
Response response = keycloak.realm(keycloakProperties.getRealm()).users().create(userRepresentation);
log.info("Response Code {}", response.getStatus());
Code for CredentialRepresentation :
private static CredentialRepresentation createPasswordCredentials(String password) {
CredentialRepresentation passwordCredentials = new CredentialRepresentation();
passwordCredentials.setTemporary(false);
passwordCredentials.setType(CredentialRepresentation.PASSWORD);
passwordCredentials.setValue(password);
return passwordCredentials;
}
I just want to update the real cause behind this issue,The server I used was of old version ,and the issue got fixed when tested against latest keycloak server.
Thank you for the support guys :)
Our application is a Spring Boot application and we have gotten a requirement to implement OAuth2 authorization with the IdentityServer3 as the provider.
However, with everything set up properly, we keep getting the error The client application is not known or is not authorized. when redirected to the login screen of the SSO system.
Using postman, we are able to access the login screen when clicking 'Get New Access Token'
Using AdvanceRestClient, we get the same error as our Spring Boot application.
Checking the log of these 2 tools, i found that on postman, the request will POST to the Access Token URL first, while on both Spring Boot security and the AdvanceRESTClient, it will generate a GET URI to the authorize URL.
Example of POSTMAN:
POST https://login.xxx.com.my/LoginHost/core/connect/token
Example of AdvanceRESTClient first request:
GET https://login.xxxx.com.my/LoginHost/core/connect/authorize?response_type=code&client_id=xxx.web&redirect_uri=https%3A%2F%2Fauth.advancedrestclient.com%2Foauth-popup.html&scope=openid%20email%20profile&state=XXX
This is confusing. Which behaviour is correct? And why is there a difference there?
Hope anyone can help with this. Thanks.
* UPDATE 1 *
POSTMAN settings:
AdvanceRESTClient:
After looking at the console logs of both client, it seems that the issue is caused by the redirect-url. After changing the redirect url on AdvancedRestClient to match with postman settings then it works.
I'm trying out the S/4HANA extension development exercises for multi-tenancy (Week 2 - Unit 4 of this course). I was able to setup Postman as described in the video, but when I execute PUT tenant after executing GET csrf token, I get an error that says Forbidden and do not get a status of 204 as shown in the video, but get 403 instead. Could you please let me know what I might be doing wrong here. Many thanks.
Please find attached a copy of the response received via Postman.
In the logs of approuter, I can see this one message stand out (but my destination seems to be set)
Msg: "Error during loading of destination service credentials. Verify Destination service is bound"
Could there be any other reason why I am getting a 403 Forbidden response instead of it creating a tenant successfully? Any pointers to proceed would be appreciated.
Access is forbidden because the backend is again being protected by a CSRF filter - in addition to the CSRF protection which the approuter provides. Likely, you will see a header x-csrf-token: Required in the 403 response.
Fo fix this, in your backend application, remove the RestCsrfPreventionFilter in line 47 of web.xml.
Background: the approuter has its own CSRF protection mechanism. By providing a CSRF token in your request, you only deal with the approuter's CSRF protection. If the backend is again protected against CSRF, nothing is providing a CSRF token to the backend. Additionally, the CSRF protection on the backend is no longer necessary as you have protected the backend so that it can only be accessed via the approuter.
Hi Stackoverflow team,
I am facing an issue in my REST Call which I am clueless about after trying to dig into the HTTP errors.
Somehow the authorization isn't working , eventhough the generation and fetch of the JWT token is successful.
Short Description of what I have in my Springboot App :
(Available for analysis of the problem at)
https://github.com/vivdso/SpringAuthentication
A DbRepository call that talks to a backend MongoDb collection named UserAccounts which has roles and credential details stored including the passwords (Ciphertexts).
A JWT token generation mechanism that returns a token which has to be attached to the HTTP Headers for the subsequent API Calls.
The flow in short.
".....:8080/auth" method post Content-Type appliction/json body:{"username":"user","password":"sample"} Response should be a jwt token
and then
Try the autheticated url .....:8080/order.
****EXPECTED RESULT : Header" Authorization:{$jwtToken from step 6} Actual Result: :( Error : 403 forbidden, this should be fully authenticated and should let the user access this api. Expected Result: "Hello here is my order"****
This is just a simple application with not too many details to worry about.
Any help will be appreciated.
Thanks in advance.
in your code I couldn't find the filter registration.
Try to add it in the WebSecurityConfig.java
#Bean
public CustomAuthenticationTokenFilter authenticationTokenFilterBean() throws Exception {
CustomAuthenticationTokenFilter authenticationTokenFilter = new CustomAuthenticationTokenFilter ();
authenticationTokenFilter.setAuthenticationManager(authenticationManagerBean());
return authenticationTokenFilter;
}
and then register it with
http
.addFilterBefore(authenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class);
inside the configuration method
et me know
This was a role mismatch issue. Was not matching with the role in jwt.
Changed the code to correct the role and it worked fine -
public CustomDbRepository(){
List<String> roles = new ArrayList<>(1);
//roles.add("ROLE_USER");
roles.add("USER");
G'day everybody!
I've got error like this:
WARN/DefaultRequestDirector(22739): Authentication error: Unable to respond to any of
these challenges: {authsub=WWW-Authenticate: AuthSub
realm="https://www.google.com/accounts/AuthSubRequest" allowed-
scopes="https://www.googleapis.com/auth/userinfo.email,
https://www.googleapis.com/auth/userinfo.profile,
https://www.googleapis.com/auth/userinfo.id"}
It's happend when I wanna get connection:
AccessGrant accessGrant = new AccessGrant(accessToken);
Connection<Google> connection = connectionFactory.createConnection(accessGrant);
As the result, I catch exception as Auth 401.
Did any one that problem befor?
It looks like you are using the old AuthSub authentication when you should be using OAuth2 authentication. I suggest you take a look at the example application, specifically see in SocialConfig how to create ProviderSignInController which is used for sign in.
I've found why it was happened. The problem was in scope. I set only https://www.googleapis.com/auth/plus.me scope. It wasn't enough for create connection.
As result, I had the next message:
WARN/DefaultRequestDirector(22739): Authentication error: Unable to respond to any of
these challenges: {authsub=WWW-Authenticate: AuthSub
realm="https://www.google.com/accounts/AuthSubRequest" allowed-
scopes="https://www.googleapis.com/auth/userinfo.email,
https://www.googleapis.com/auth/userinfo.profile,
https://www.googleapis.com/auth/userinfo.id"}
As you can see google oauth2 asks for https://www.googleapis.com/auth/userinfo.email, https://www.googleapis.com/auth/userinfo.profile, https://www.googleapis.com/auth/userinfo.id scopes.
After I had added this scopes and I got a new error likes "invalid_scope".
Problem was in connection url.
I created connection url as:
connectionFactory.getOAuthOperations().buildAuthorizeUrl(GrantType.AUTHORIZATION_CODE, params);
where params:
OAuth2Parameters params = new OAuth2Parameters();
params.setRedirectUri(redirectUri);
params.setScope("https://www.googleapis.com/auth/userinfo.email+" + "https://www.googleapis.com/auth/userinfo.profile+" + "https://www.googleapis.com/auth/userinfo.id+" +
"https://www.googleapis.com/auth/plus.me");
In this case, symbol "+" was decoded to another one and Google oauth2 api couldn't recognize scope set.
I hope this solution will help somebody in future.