Closed venkateshmadala closed 3 years ago
@venkateshmadala Looks like you configured something incorrectly. Try to run an example with a docker image https://github.com/v-ladynev/keycloak-nodejs-example#using-ladynevkeycloak-mysql-realm-users-with-mysql-docker-image
@venkateshmadala did you figure this out? I received the same error.
Getting the same error. I don't have any roles in keycloak server. Just create one realm and one client in the realm.
Getting the same error, Imported the realm.json correctly configured the installation json from keycloak but app says
Grant validation failed. Reason: failed to load public key to verify token
I got "Grant validation failed. Reason: failed to load public key to verify token" and I configured that the config is undefined, so I made a config variable and i put whatever that is in keycloak.json as its value, and after that it gave me "400:Bad Request".
@rahulkohli23 @zeynabsb Guys you should have CAMPAIGN_REALM
and CAMPAIGN_CLIENT
configured. Also you need generate keycloak.json
from Keycloak to have correct
"credentials": {
"secret": "6d979be5-cb81-4d5c-9fc7-45d1b0c7a75e"
}
Please, generate keycloak.json
using CAMPAIGN_CLIENT -> Installation
You will need to replace keycloak.json
in the root of the project with the generated one.
yes I did all of these steps and I found out that i should put public key in keycloak.json. now i got another error "Grant validation failed. Reason: invalid token (signature)".
@zeynabsb You can start from checking that Keycloak configured correctly. Use Postman or curl, as described by the link below, to get tokens from Keycloak
https://github.com/v-ladynev/keycloak-nodejs-example#what-happens-with-custom-login
@v-ladynev I tried to curl and i got token, but still i got that error while trying to login.
@zeynabsb This example has to work with Keycloak 3.2.1.Final. The reason can be that you are using more recent version.
What worked for me is to update the version of "keycloak-connect": "^12.0.4",
in keycloak and after that i got error
unable to verify the audience something in token
to resolve that just follow this answer : https://stackoverflow.com/a/53627747/5525824 but due to this whole project not start working.
you will face next issues at :
static createEntitlementUrl(keycloak) {
return `${keycloak.config.realmUrl}/authz/entitlement/${keycloak.config.clientId}`;
}
as latest keycloak i am using don't support the EntitlementUrl
@v-ladynev this lib is custom written ? : https://github.com/v-ladynev/keycloak-nodejs-example/tree/master/lib
for latest version of keycloak we might have to change it thn.
@harsh4870
@v-ladynev this lib is custom written ? : https://github.com/v-ladynev/keycloak-nodejs-example/tree/master/lib
Yes. Correct. Fell free to change anything and make a pull request.
Please post proper details (actual code instead of just mentioning what you did) that have helped you move ahead. That will help future readers to not spend time again to figure out things like how to find the public key, what the property in config is called etc.
Go to http://localhost:8080/auth/admin/master/console/#/realms/CAMPAIGN_REALM/keys Click on Public Key to get the key
In keycloak.json
add "realm-public-key": *paste-the-above-public-key-here*
In package.json
update "keycloak-connect": "13.0.1",
npm i
The above has helped me move one route ahead.
Now, need to fix the entitlement error: access denied: 404 - {"error":"RESTEASY003210: Could not find resource for full path: http://localhost:8080/auth/realms/CAMPAIGN_REALM/authz/entitlement/CAMPAIGN_CLIENT"}
@rounakcodes I was using Keycloak 3.2.1.Final. For the newer Keycloak versions:
Entitlement API was removed With the introduction of UMA 2.0, we decided to leverage the token endpoint and UMA grant type to allow obtaining RPTs from Keycloak and avoid having different APIs. The functionality provided by the Entitlement API was kept the same and is still possible to obtain permissions for a set of one or more resources and scopes or all permissions from the server in case no resource or scope is provided. See Authorization Services Guide for details.
The token endpoint
has to be used to get permissions, as I understand
https://www.keycloak.org/docs/latest/authorization_services/#_service_obtaining_permissions
@harsh4870 The error unable to verify the audience something in token
can be resolved even simpler.
Just set in keycloak.json
"verify-token-audience": false
@harsh4870 @rounakcodes
I think we have to replace an entitlement endpoint with an authorization request to the token endpoint
. To check permission to view a campaign:
curl --location --request POST 'http://localhost:8080/auth/realms/CAMPAIGN_REALM/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Bearer ${access_token}' \
--data 'grant_type=urn:ietf:params:oauth:grant-type:uma-ticket' \
--data 'audience=CAMPAIGN_CLIENT' \
--data 'permission=res:campaign#scopes:view' \
--data 'response_mode=decision'
result, if allowed
{
"result": true
}
result, if disallowed (with 403 HTTP status code)
{
"error": "access_denied",
"error_description": "not_authorized"
}
There is a method in keycloak-connect
keyCloak.grantManager.checkPermissions(authzRequest, request, callback)
It needs to figure out, how to use it.
I have moved a bit further https://github.com/v-ladynev/keycloak-nodejs-example/commit/6d157b88856778e8874f0e6d038db1f24680dce7
@harsh4870 @rounakcodes I have fixed everything. Please follow this to start Keycloak with configuration https://github.com/v-ladynev/keycloak-nodejs-example#quick-start
I have imported both json files to keycloak and updated keycloak.json file in app root folder. I am able to access the application url but post login I am seeing Access denied error in app page. In app logs I can see below error. can you please help me in resolving the issue.
Grant validation failed. Reason: failed to load public key to verify token Error: Can't set headers after they are sent. at validateHeader (_http_outgoing.js:491:11) at ServerResponse.setHeader (_http_outgoing.js:498:3)