search

v-ladynev / keycloak-nodejs-example

A simply step by step Keycloak, MySQL and Node.js integration tutorial. There are some docker examples as well.
291 stars 102 forks source link

Getting Access denied error post login #6

Closed venkateshmadala closed 3 years ago

venkateshmadala commented 5 years ago

I have imported both json files to keycloak and updated keycloak.json file in app root folder. I am able to access the application url but post login I am seeing Access denied error in app page. In app logs I can see below error. can you please help me in resolving the issue.

Grant validation failed. Reason: failed to load public key to verify token Error: Can't set headers after they are sent. at validateHeader (_http_outgoing.js:491:11) at ServerResponse.setHeader (_http_outgoing.js:498:3)

v-ladynev commented 5 years ago

@venkateshmadala Looks like you configured something incorrectly. Try to run an example with a docker image https://github.com/v-ladynev/keycloak-nodejs-example#using-ladynevkeycloak-mysql-realm-users-with-mysql-docker-image

dremekie commented 5 years ago

@venkateshmadala did you figure this out? I received the same error.

praveenpothula commented 5 years ago

Getting the same error. I don't have any roles in keycloak server. Just create one realm and one client in the realm.

raulkozy commented 4 years ago

Getting the same error, Imported the realm.json correctly configured the installation json from keycloak but app says

Grant validation failed. Reason: failed to load public key to verify token

zeynab-sb commented 4 years ago

I got "Grant validation failed. Reason: failed to load public key to verify token" and I configured that the config is undefined, so I made a config variable and i put whatever that is in keycloak.json as its value, and after that it gave me "400:Bad Request".

v-ladynev commented 4 years ago

@rahulkohli23 @zeynabsb Guys you should have CAMPAIGN_REALM and CAMPAIGN_CLIENT configured. Also you need generate keycloak.json from Keycloak to have correct

"credentials": {
    "secret": "6d979be5-cb81-4d5c-9fc7-45d1b0c7a75e"
  }

Please, generate keycloak.json using CAMPAIGN_CLIENT -> Installation

You will need to replace keycloak.json in the root of the project with the generated one.

zeynab-sb commented 4 years ago

yes I did all of these steps and I found out that i should put public key in keycloak.json. now i got another error "Grant validation failed. Reason: invalid token (signature)".

v-ladynev commented 4 years ago

@zeynabsb You can start from checking that Keycloak configured correctly. Use Postman or curl, as described by the link below, to get tokens from Keycloak

https://github.com/v-ladynev/keycloak-nodejs-example#what-happens-with-custom-login

zeynab-sb commented 4 years ago

@v-ladynev I tried to curl and i got token, but still i got that error while trying to login.

v-ladynev commented 4 years ago

@zeynabsb This example has to work with Keycloak 3.2.1.Final. The reason can be that you are using more recent version.

harsh4870 commented 3 years ago

What worked for me is to update the version of "keycloak-connect": "^12.0.4", in keycloak and after that i got error

unable to verify the audience something in token

to resolve that just follow this answer : https://stackoverflow.com/a/53627747/5525824 but due to this whole project not start working.

you will face next issues at : 

static createEntitlementUrl(keycloak) {
        return `${keycloak.config.realmUrl}/authz/entitlement/${keycloak.config.clientId}`;
    }

as latest keycloak i am using don't support the EntitlementUrl

@v-ladynev this lib is custom written ? : https://github.com/v-ladynev/keycloak-nodejs-example/tree/master/lib

for latest version of keycloak we might have to change it thn.

v-ladynev commented 3 years ago

@harsh4870

@v-ladynev this lib is custom written ? : https://github.com/v-ladynev/keycloak-nodejs-example/tree/master/lib

Yes. Correct. Fell free to change anything and make a pull request.

rounakcodes commented 3 years ago

Please post proper details (actual code instead of just mentioning what you did) that have helped you move ahead. That will help future readers to not spend time again to figure out things like how to find the public key, what the property in config is called etc.

Go to http://localhost:8080/auth/admin/master/console/#/realms/CAMPAIGN_REALM/keys Click on Public Key to get the key

In keycloak.json add "realm-public-key": *paste-the-above-public-key-here*

In package.json update "keycloak-connect": "13.0.1",

npm i

The above has helped me move one route ahead. Now, need to fix the entitlement error: access denied: 404 - {"error":"RESTEASY003210: Could not find resource for full path: http://localhost:8080/auth/realms/CAMPAIGN_REALM/authz/entitlement/CAMPAIGN_CLIENT"}

v-ladynev commented 3 years ago

@rounakcodes I was using Keycloak 3.2.1.Final. For the newer Keycloak versions:

Entitlement API was removed With the introduction of UMA 2.0, we decided to leverage the token endpoint and UMA grant type to allow obtaining RPTs from Keycloak and avoid having different APIs. The functionality provided by the Entitlement API was kept the same and is still possible to obtain permissions for a set of one or more resources and scopes or all permissions from the server in case no resource or scope is provided. See Authorization Services Guide for details.

The token endpoint has to be used to get permissions, as I understand https://www.keycloak.org/docs/latest/authorization_services/#_service_obtaining_permissions

v-ladynev commented 3 years ago

@harsh4870 The error unable to verify the audience something in token can be resolved even simpler. Just set in keycloak.json

"verify-token-audience": false
v-ladynev commented 3 years ago

@harsh4870 @rounakcodes I think we have to replace an entitlement endpoint with an authorization request to the token endpoint. To check permission to view a campaign:

curl --location --request POST 'http://localhost:8080/auth/realms/CAMPAIGN_REALM/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Bearer ${access_token}' \
--data 'grant_type=urn:ietf:params:oauth:grant-type:uma-ticket' \
--data 'audience=CAMPAIGN_CLIENT' \
--data 'permission=res:campaign#scopes:view' \
--data 'response_mode=decision'

result, if allowed

{
    "result": true
}

result, if disallowed (with 403 HTTP status code)

{
    "error": "access_denied",
    "error_description": "not_authorized"
}

There is a method in keycloak-connect

keyCloak.grantManager.checkPermissions(authzRequest, request, callback)

It needs to figure out, how to use it.

v-ladynev commented 3 years ago

I have moved a bit further https://github.com/v-ladynev/keycloak-nodejs-example/commit/6d157b88856778e8874f0e6d038db1f24680dce7

v-ladynev commented 3 years ago

@harsh4870 @rounakcodes I have fixed everything. Please follow this to start Keycloak with configuration https://github.com/v-ladynev/keycloak-nodejs-example#quick-start