zhaow-de
commented
3 years ago Thanks for the feedback @brodkin! Glad you liked the module. I will update the documentation soon.
The error message is shown up because the designated Keycloak role was not found on the current user. To trouble shoot, please check:
- the role exists and assigned to the user
- name of the role is configured in the config file
- the role is included in the OIDC token scope
For 1), an easy way to check is Keycloak -> Users -> THE-USER -> Role Mappings. Depending on how you configured Keycloak: if the pam role is at Realm level, check Real Roles -> Effective Roles; or if the pam role is at Client level, check Client Roles -> THE-CLIENT-FOR-PAM -> Effective Roles. Either way you should see the designated role, let's call it demo-pam-authentication. In case you don't see it, please assign the role to the user directly, or assign the role to a group then assign the user to the group.
For 2), check your pam-keycloak-oidc.tml, the line vpn-user-role="demo-pam-authentication" should refer to the same role above. This is a misleading name, I initially created the module for a Radius authentication for VPN, but when I open sourced it, everywhere else is generalized to pam except this property.
For 3), please refer to the README and double check the settings of the Client Scope (including its Mappers), and make sure the Client Scope is in the "Assigned Default Client Scopes" of the corresponding Client.
brodkin
Hello,
Was stoked to find this pam module, but I'm getting an error "Authentication was successful but authorization failed" that is not explained within the code comments or README.
Would you kindly consider adding an explanation of what this error means? ...and also tell me so I might be able to leverage this amazing module?