search

ferrerojosh / nest-keycloak-connect

keycloak-nodejs-connect module for Nest
MIT License
317 stars 123 forks source link

role doesn't match! #133

Closed cybercoder closed 1 year ago

cybercoder commented 2 years ago

I'm using in multi-tenant mode with bearerOnly: true I've registered the module like this:

import:

   KeycloakConnectModule.registerAsync({
      useFactory: (configService: ConfigService) => ({
        clientId: 'test',
        secret: 'test',
        authServerUrl: configService.get('KEYCLOAK_SERVER_URI'),
        policyEnforcement: PolicyEnforcementMode.PERMISSIVE,
        tokenValidation: TokenValidation.ONLINE,
        bearerOnly: true,
        multiTenant: {
          realmResolver: (request) => {
            return 'testTenant';
          },
          realmSecretResolver: (realm) => {
            return 'mysecret';
          },
        },
      }),
      inject: [ConfigService],
    }),

and providers:

  providers: [
    {
      provide: APP_GUARD,
      useClass: AuthGuard,
    },
    {
      provide: APP_GUARD,
      useClass: RoleGuard,
    },
  ],

The log shows everything is correct but resources are denied due to mismatched role(s). The example controller:

@Controller(':company')
@UseGuards(AuthGuard, RoleGuard)
export class CompanyController {
  @Get('/')
  @Roles({
    roles: ['admin'],
  })
  view(@Param('company') company: string) {
    return `your company is : ${company}`;
  }
}

The log shows:

[Nest] 23435  - 09/08/2022, 11:13:53 PM VERBOSE [Keycloak] Using token validation method: ONLINE
[Nest] 23435  - 09/08/2022, 11:13:53 PM VERBOSE [Keycloak] Authenticated User: {"exp":1662662924,"iat":1662662624,"jti":"13f4b99a-d5bb-4b5f-8fbd-2bffbbcc16ed","iss":"http://localhost:8080/realms/testrealm","aud":"account","sub":"ac10f640-535a-4658-8bcf-daac003e076c","typ":"Bearer","azp":"k","session_state":"66edf11e-e69b-42a9-a1cf-52988d5c9d51","acr":"1","realm_access":{"roles":["default-roles-testrealm","offline_access","admin","uma_authorization"]},"resource_access":{"account":{"roles":["manage-account","manage-account-links","view-profile"]}},"scope":"profile email","sid":"66edf11e-e69b-42a9-a1cf-52988d5c9d51","email_verified":true,"preferred_username":"x@y.z","given_name":"","family_name":"","email":"x@y.z"}
[Nest] 23435  - 09/08/2022, 11:13:53 PM VERBOSE [Keycloak] Controller has no @Resource defined, request allowed due to policy enforcement
[Nest] 23435  - 09/08/2022, 11:13:53 PM VERBOSE [Keycloak] Using matching mode: any
[Nest] 23435  - 09/08/2022, 11:13:53 PM VERBOSE [Keycloak] Roles: ["admin"]
[Nest] 23435  - 09/08/2022, 11:13:53 PM VERBOSE [Keycloak] Resource denied due to mismatched role(s)

As you see "realm_access":{"roles":["default-roles-testrealm","offline_access","admin","uma_authorization"]} But the role doesn't match.

Keycloak version: 19.0.1 NestJS core and common version: 9.0.0 nest-keycloak-connect version: 1.9.0

ferrerojosh commented 2 years ago

It seems to be realm role, try prefixing it with realm: so it should be realm:admin

ferrerojosh commented 1 year ago

Closed due to no response. Just tell me if you had issues.

alminisl commented 1 year ago

Having the same issue, any help? Thanks!

alminisl commented 1 year ago

It seems to be realm role, try prefixing it with realm: so it should be realm:admin

Tried this, did not work..

sauloarth commented 5 months ago

For me worked:

jakin6 commented 2 months ago

you can check on which level you create roles if is realm roles or client roles

please refer to this:https://stackoverflow.com/questions/73653840/keycloak-and-nodejs-nestjs-wrong-role-mismatch response: 3

I needed to add the role to the client, but I've added the role to the realm wrongly.

In nest js this code will help, if the role is at the realm level:

@Get('/admin') @Scopes('delete') @Roles({ roles: ["realm:admin"] }) getAdmin(): string { return 'admin'; } If the role is at the client level:

@Get('/admin') @Scopes('delete') @Roles({ roles: ["admin"] }) getAdmin(): string { return 'admin'; }