CODEWITHSUNDEEP
javaspring-bootkeycloak
baraber
baraber

Reputation: 3356

403 spring-boot-2-keycloak-adapter

I have the exact same problem as here : Spring Boot - KeyCloak directed to 403 forbidden However, the answers for that question says that roles are probably not configured or assigned in keycloak server, which is in my case.

An angular front-end application that authenticate user with a keycloak server.

Then the received token is passed to a rest service developed with spring-boot, using keycloak-spring-boot-2-starter.

That's where the problem is : my service takes the token, authenticate it with keycloak without problem, but return 403 to the client app.

I did debug the keycloak adapter to find that, in the principal found in the request (GenericPrincipal), there is no role information (and empty list).

On the keycloak server, I added role in the realm settings, and assigned the role to the user (there is only one user). Tried client roles too( with use-resource-role-mappings: true) but same problem.

Here is my keycloak configuration in application.yaml : 

keycloak:
  auth-server-url: http://localhost:8084/auth
  ssl-required: external
  realm: soccer-system
  resource: league-service
  bearer-only: true
  cors: true
  use-resource-role-mappings: false
  enabled: true
  credentials:
    secret: myClientKey
  security-constraints:
    0:
      auth-roles:
      - user
      security-collections:
        0:
          patterns:
          - /*

Keycloak server version is 3.4.3.Final

I've been struggling for two days on this. Hope someone out there will put me on the way :)

Maven dependencies : 

<dependencies>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-web</artifactId>
    </dependency>
    <dependency>
        <groupId>org.keycloak</groupId>
        <artifactId>keycloak-spring-boot-2-starter</artifactId>
        <version>4.0.0.Beta2</version>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-test</artifactId>
        <scope>test</scope>
    </dependency>
</dependencies>

Debug logs from the adapter : 

2018-05-27 12:32:09.266 DEBUG 2607 --- [nio-8081-exec-1] o.k.adapters.PreAuthActionsHandler       : adminRequest http://localhost:8081/league
2018-05-27 12:32:09.273 DEBUG 2607 --- [nio-8081-exec-1] o.k.a.a.ClientCredentialsProviderUtils   : Using provider 'secret' for authentication of client 'league-service'
2018-05-27 12:32:09.275 DEBUG 2607 --- [nio-8081-exec-1] o.k.a.a.ClientCredentialsProviderUtils   : Loaded clientCredentialsProvider secret
2018-05-27 12:32:09.277 DEBUG 2607 --- [nio-8081-exec-1] o.k.a.a.ClientCredentialsProviderUtils   : Loaded clientCredentialsProvider jwt
2018-05-27 12:32:09.278 DEBUG 2607 --- [nio-8081-exec-1] o.k.a.a.ClientCredentialsProviderUtils   : Loaded clientCredentialsProvider secret-jwt
2018-05-27 12:32:09.279 DEBUG 2607 --- [nio-8081-exec-1] o.k.a.a.ClientCredentialsProviderUtils   : Loaded clientCredentialsProvider secret
2018-05-27 12:32:09.279 DEBUG 2607 --- [nio-8081-exec-1] o.k.a.a.ClientCredentialsProviderUtils   : Loaded clientCredentialsProvider jwt
2018-05-27 12:32:09.279 DEBUG 2607 --- [nio-8081-exec-1] o.k.a.a.ClientCredentialsProviderUtils   : Loaded clientCredentialsProvider secret-jwt
2018-05-27 12:32:09.484 DEBUG 2607 --- [nio-8081-exec-1] o.keycloak.adapters.KeycloakDeployment   : resolveUrls
2018-05-27 12:32:09.486 DEBUG 2607 --- [nio-8081-exec-1] o.k.adapters.KeycloakDeploymentBuilder   : Use authServerUrl: http://localhost:8084/auth, tokenUrl: http://localhost:8084/auth/realms/soccer-system/protocol/openid-connect/token, relativeUrls: NEVER
2018-05-27 12:32:09.486 DEBUG 2607 --- [nio-8081-exec-1] o.k.adapters.PreAuthActionsHandler       : checkCorsPreflight http://localhost:8081/league
2018-05-27 12:32:09.487 DEBUG 2607 --- [nio-8081-exec-1] o.k.adapters.PreAuthActionsHandler       : Preflight request returning
2018-05-27 12:32:09.495 DEBUG 2607 --- [nio-8081-exec-2] o.k.adapters.PreAuthActionsHandler       : adminRequest http://localhost:8081/league
2018-05-27 12:32:09.496 DEBUG 2607 --- [nio-8081-exec-2] o.k.adapters.PreAuthActionsHandler       : checkCorsPreflight http://localhost:8081/league
2018-05-27 12:32:09.593 TRACE 2607 --- [nio-8081-exec-2] o.k.adapters.RequestAuthenticator        : --> authenticate()
2018-05-27 12:32:09.593 TRACE 2607 --- [nio-8081-exec-2] o.k.adapters.RequestAuthenticator        : try bearer
2018-05-27 12:32:09.594 DEBUG 2607 --- [nio-8081-exec-2] o.k.a.BearerTokenRequestAuthenticator    : Verifying access_token
2018-05-27 12:32:09.637 TRACE 2607 --- [nio-8081-exec-2] o.k.a.BearerTokenRequestAuthenticator    :     access_token: eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI5LV92RjRCM21PS0JjQVdhSFlGc3VlVGthRzNEVHBqUThHS2NqTGpqY0pnIn0.eyJqdGkiOiI1ZWMyYmU0YS04YmRlLTQ0OTEtYjRjMC04YzY5ZDIxMmVkZmIiLCJleHAiOjE1Mjc0MzkwMzYsIm5iZiI6MCwiaWF0IjoxNTI3NDM4NzM2LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODQvYXV0aC9yZWFsbXMvc29jY2VyLXN5c3RlbSIsImF1ZCI6ImxlYWd1ZS1vcmdhbml6ZXItYXBwIiwic3ViIjoiNTRiNzBlYjYtNzMxZC00Y2RiLTk1MzAtMTRjYTQxMWI3OGY4IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoibGVhZ3VlLW9yZ2FuaXplci1hcHAiLCJub25jZSI6IjRiYjgzZDVhLTg5ZDktNDNkNy1hMWExLWJjZDdlYTQ0Y2Q3YiIsImF1dGhfdGltZSI6MTUyNzQzODczNSwic2Vzc2lvbl9zdGF0ZSI6ImQwNmI0NGQ2LTljYTgtNGYzYy1iYTBlLTY5NDhmYzAzYWY0YyIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiKiJdLCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJ2aWV3LXByb2ZpbGUiXX19LCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJyLmJhcmFiZUBnbWFpbC5jb20ifQ.signature
2018-05-27 12:32:09.697 TRACE 2607 --- [nio-8081-exec-2] o.k.a.rotation.JWKPublicKeyLocator       : Going to send request to retrieve new set of realm public keys for client league-service
2018-05-27 12:32:09.822 DEBUG 2607 --- [nio-8081-exec-2] o.k.a.rotation.JWKPublicKeyLocator       : Realm public keys successfully retrieved for client league-service. New kids: [9-_vF4B3mOKBcAWaHYFsueTkaG3DTpjQ8GKcjLjjcJg]
2018-05-27 12:32:09.823 DEBUG 2607 --- [nio-8081-exec-2] o.k.a.BearerTokenRequestAuthenticator    : successful authorized
2018-05-27 12:32:09.826 TRACE 2607 --- [nio-8081-exec-2] o.k.a.RefreshableKeycloakSecurityContext : checking whether to refresh.
2018-05-27 12:32:09.827 TRACE 2607 --- [nio-8081-exec-2] org.keycloak.adapters.AdapterUtils       : use realm role mappings
2018-05-27 12:32:09.827 TRACE 2607 --- [nio-8081-exec-2] org.keycloak.adapters.AdapterUtils       : Setting roles: 
2018-05-27 12:32:09.830 DEBUG 2607 --- [nio-8081-exec-2] o.k.adapters.RequestAuthenticator        : User '54b70eb6-731d-4cdb-9530-14ca411b78f8' invoking 'http://localhost:8081/league' on client 'league-service'
2018-05-27 12:32:09.830 DEBUG 2607 --- [nio-8081-exec-2] o.k.adapters.RequestAuthenticator        : Bearer AUTHENTICATED
2018-05-27 12:32:09.839  INFO 2607 --- [nio-8081-exec-2] o.a.c.c.C.[Tomcat].[localhost].[/]       : Initializing Spring FrameworkServlet 'dispatcherServlet'
2018-05-27 12:32:09.839  INFO 2607 --- [nio-8081-exec-2] o.s.web.servlet.DispatcherServlet        : FrameworkServlet 'dispatcherServlet': initialization started
2018-05-27 12:32:09.866  INFO 2607 --- [nio-8081-exec-2] o.s.web.servlet.DispatcherServlet        : FrameworkServlet 'dispatcherServlet': initialization completed in 27 ms

In debug mode, I managed to get the token received from keycloak (decoded), here it is : 

{
    "jti": "c9d8ebd4-1ea6-4191-ac03-32b047d6f80c",
    "exp": 1527441347,
    "nbf": 0,
    "iat": 1527441047,
    "iss": "http://localhost:8084/auth/realms/soccer-system",
    "aud": "league-organizer-app",
    "sub": "54b70eb6-731d-4cdb-9530-14ca411b78f8",
    "typ": "Bearer",
    "azp": "league-organizer-app",
    "nonce": "ac3e1024-9ce0-4a45-806b-8ec245905a3c",
    "auth_time": 1527440521,
    "session_state": "4df9e22b-141a-4970-98cc-cff57894814a",
    "acr": "0",
    "allowed-origins": [
        "*"
    ],
    "resource_access": {
        "account": {
            "roles": [
                "view-profile"
            ]
        }
    },
    "preferred_username": "thaUser"
}

UPDATE 1:

I tried with keycloak server version 4.0.0.Beta2, to match the one of the adapter. That unfortunately did not help.

UPDATE 2:

I tried to put ** as role restriction in config, as suggested in comment, but that did nt help : 

security-constraints:
    0:
      auth-roles:
      - '**'
      security-collections:
        0:
          patterns:
          - /*

EDIT 1 :

Added console output. It seems to say no role was set. But I really have those rôles in my realm, assigned to my user.

Edit 2 :

Added access token as seen by the adapter in debug.

Upvotes: 2

Views: 4870

Answers (1)

baraber
baraber

Reputation: 3356

I finally managed to do it. The problem was I did not map any role to scope in my front-end app client configuration. It worked when I did. In the client configuration (the one the user authenticate with), tab 'Scope'. Eighter activate the option 'Full Scope Allowed', or chose the realm roles you want keycloak to map. The chosen roles will be mapped to user roles and included in the token.

I just did not know I had to do that. Still, thank you for your comments, it's been useful.

Upvotes: 5

Related Questions