Spring Boot - KeyCloak directed to 403 forbidden

Question

I am new to Keycloak, I am using the official tutorial project on https://github.com/sebastienblanc/spring-boot-keycloak-tutorial

for integrating with Springboot application, I have setup the KeyCloak server successfully and the spring boot application also directing to the client application I have created on the Realm I have created on KeyCloak, after providing the correct credentials it directs to the forbidden page.

@Controller
class ProductController {

@GetMapping(path = "/products")
public String getProducts(Model model){
    model.addAttribute("products", Arrays.asList("iPad","iPhone","iPod"));
    return "products";
}

@GetMapping(path = "/logout")
public String logout(HttpServletRequest request) throws ServletException {
    request.logout();
    return "/";
}
}

Application.properties file

keycloak.auth-server-url=http://localhost:8080/auth
keycloak.realm=springdemo
keycloak.resource=product-app
keycloak.public-client=true

keycloak.security-constraints[0].authRoles[0]=testuser
keycloak.security-
constraints[0].securityCollections[0].patterns[0]=/products/*

server.port=8081

I am not getting any error message from KeyCloak console or spring embedded tomcat console.

Check the tomcat console here - no error

Thank you.

Answer 1

In my case I have to turn off Client Authentication and Authorization (both) in client config.

Answer 2

I had the same issue and the problem was that I was using variables separated by dashes, instead of camel case. For example, I had this (incorrect):

keycloak:
  auth-server-url: http://localhost:8083/auth
  realm: springdemo
  resource: Resource_Name
  public-client: true
  security-constraints[0].auth-roles[0]: user
  security-constraints[0].security-collections[0].patterns[0]: /

instead of (correct):

keycloak:
  authServerUrl: http://localhost:8083/auth
  realm: springdemo
  resource: Resource_Name
  publicClient: true
  securityConstraints[0].authRoles[0]: user
  securityConstraints[0].securityCollections[0].patterns[0]: /

Answer 3

Late to the party, but this might help someone.

In my case, I had resource authorization enabled (so client was not public). I had to do the following

Under Client Authorization -> Settings -> Policy Enforcement Mode

Set it to "Permissive"

Answer 4

In my case here I set use-resource-role-mappings to true, considering that it would provide both realm and client roles, but it turns out that if this option is set to true, only client roles are considered.

AFAICS, there is no way to use both.

Answer 5

About that tutorial, I just have a problem with logout feature.

Sometimes the logout does not work.

1) I click on logout and then I click on /products, then I am not redirected to keycloak login page

2) If I click on logout, then I refresh the browser page, then I click on /products I am redirected to the keycloak login page.

It seams to be that the logout implementation from HttpServletRequest is not enough to really logout the user ?

`

@GetMapping(path = "/logout")
public String logout(HttpServletRequest request) throws ServletException{
        request.logout();
        return "/";
}

`

If somebody has an explanation on that behavior between springboot and keycloak. Thank you.

Answer 6

I have tried this Week End to replay the example from the very interesting DEvoxx Sebastien speak.

I had the same 403 error with the role "user" specified in the property keycloak.security-constraints[0].authRoles[0]=user

The "user" role does not exists in the default keycloak configuration. You have to create it before in your realm (realm/configuration/roles) and assign it to your user (realm/users/user/roles mappings).

Answer 7

I think you have a typo at keycloak.security-constraints[0].authRoles[0]=testuser , you should specify the role here and not the user. If you follow the blogpost instructions it should be : keycloak.security-constraints[0].authRoles[0]=user