Login/Register
wildfly integration with keycloak 403 forbidden error
Asked Answered
Solved sslwildflyweb.xmlkeycloak
C

3

4

I have an application integrated with keycloak. THe application runs on wildfly server. I use web.xml to authenticate keycloak(as Login config). Apart from that i use keycloak.json file, where i define the keycloak realm settings in application. When i invoke the application pages, the keycloak login pages opens, after entereing the credentials, it comes back to wildfly with 403 forbidden error.

Previously, the same setup was working but now after enabling ssl, i'm facing this issue.

Please help me in resolving the issue, does it require any other additional setup for ssl.

Change answered 29/2, 2016 at 8:30 Comment(2)
please change the logging level to Trace and post any error you might be getting in server.log fileUltraviolet
you can add disable-trust-manager:true in the keycloak.json file and check as ssl certificate might not be in the trust managerUltraviolet
C
2

The problem was with the keycloak configuration. The roles created for my application did not have scope. after enabling the role to full scope, the issue got resolved.

Change answered 31/3, 2016 at 8:32 Comment(4)
can you elaborate on more on how to change the scopes ?Mechelle
@Mechelle Do you have more info on this?Vacuum
I was having the same issue and my solution was to add the role in the client, meaning this: 1. Create role: go to clients > select one client > go to roles > add a new role. 2. Assign role: go to user > select one user > go to role mappings > click client roles > select the client (same as first step) > select the role created in the first stepTransubstantiate
I need to add the role to the realm, if I add the role to the client does not work, Goest to Roles-Real Roles and create, then add the role to the user.Inhuman
U
3

If its the case that login is failing after SSL was enabled it would be because SSL certificate was not in the truststore and you might this exception javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

For this you can disable-trust-manager , by adding the following conf in keycloak.json

  {
    ...
    "disable-trust-manager": true
  }

If this solves the issue then the proper way of doing it will be to add the certificate to the trust store and specifying it in keycloak.json file like so.

 {
    ...
    "truststore": "cacerts.jks",
    "truststore-password" : "password"
  }
Ultraviolet answered 8/3, 2016 at 5:45 Comment(3)
But i do not get any exceptions in the log. The calls gets forwarded to keycloak. after i login, the call comes back to wildfly, where i get this forbidden on screen.Change
@JayapriyaAtheesan: I would recommend increasing the logging level in wildfly and then check the logs.BTW which version of keycloak are you using?Ultraviolet
i'm using keycloak 1.6.0 final. I have enabled logs to finest and all too. but i dont get any errors in the logChange
C
2

The problem was with the keycloak configuration. The roles created for my application did not have scope. after enabling the role to full scope, the issue got resolved.

Change answered 31/3, 2016 at 8:32 Comment(4)
can you elaborate on more on how to change the scopes ?Mechelle
@Mechelle Do you have more info on this?Vacuum
I was having the same issue and my solution was to add the role in the client, meaning this: 1. Create role: go to clients > select one client > go to roles > add a new role. 2. Assign role: go to user > select one user > go to role mappings > click client roles > select the client (same as first step) > select the role created in the first stepTransubstantiate
I need to add the role to the realm, if I add the role to the client does not work, Goest to Roles-Real Roles and create, then add the role to the user.Inhuman
R
1

As the setup worked without SSL, a scope related issue might not result in 403 error. Instead, connectivity from client application server to IDP server over the IDP HTTPS port can be tested first (can use telnet).

Else, it can be SSL certificate verification issue, as answered by @Shiva. Just to add to it, ideally, a valid CA certificate may not create trust issue. In such a case, supported browsers and java versions for your IDP certificate's CA can be checked. Just upgrading to latest java version or adding the CA's root certificate to your default trust store can solve such problems. This will not require any changes to the keycloak.json file.

GoDaddy certificate issue example.

P.S: As I could not add a comment, added these points here.

Rector answered 13/7, 2017 at 18:54 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.