Keycloak branch: UNKNOWN_CLIENT, client_id is null? about frost-server HOT 7 CLOSED

I'm fairly new to Keycloak myself :)
I'll have another look at it tomorrow.

from frost-server.

Hello Hylke, thank you :)

I think I just found out why: I was missing the attribute "public-client": true in my keycloak.json, and now keycloak seems to accept the client :). It's documented here: https://keycloak.gitbooks.io/documentation/securing_apps/topics/oidc/java/java-adapter-config.html but since I only looked at the example which uses almost every attribute except that one, I missed it.

I'm getting a 404 error trying to access any routes past /v1.0 and /DatabaseStatus, however. Though this is likely a problem on my side which I'll check ASAP.

from frost-server.

Did you generate the json config yourself, or did you let Keycloak generate it for you? I think I used the Keycloak generated one, but mine did also have a credentials section with a secret in it.

I also used "use-resource-role-mappings": true so I could set the access rights for read/create/update/delete/admin from Keycloak:

{
  "realm": "sensorThings",
  "auth-server-url": "http://localhost:8180/auth",
  "ssl-required": "external",
  "resource": "SensorThingsDevelop",
  "credentials": {
    "secret": "xxxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
  },
  "use-resource-role-mappings": true
}

from frost-server.

I did write the json myself based on the link I posted before. Generating through Keycloak gives me a json similar to yours, which works just fine too! Though I needed to change the Access Type to confidential on the client's configuration page.

I'm not sure if I understand use-resource-role-mappings too well yet. It seems to gather the roles based on either the realm of the application, right? I defined the roles realm-wise at the moment.

Thanks for your help so far :)

from frost-server.

Forgive my double post. I wasn't sure where to ask this or if I should open a new issue.

Have you ever configured your Access Type in keycloak as Bearer-Only (only allow access to the API if the Authorization header is present and the client is the bearer of a valid access-token)? I did this because apparently keeping the Access Type with either public-client or confidential, doesn't allow applications to make AJAX calls. This seems to happen because it redirects any AJAX call to the sign-in page (even if a valid token is present on the header).

Sadly I'm having some trouble with it. I'm trying to reach the API through an AJAX client but I keep getting the error: XMLHttpRequest cannot load http://localhost:8080/sensorthings/v1.0. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost' is therefore not allowed access. The response had HTTP status code 403..

In the WEB-INF/web.xml of the SensorThingsServer i tried adding the following to the CorsFilter:

<init-param>
    <param-name>cors.allowed.headers</param-name>
    <param-value>Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers</param-value>
</init-param>
<init-param>
    <param-name>cors.exposed.headers</param-name>
    <param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials</param-value>
</init-param>

But it didn't help. I also tried adding "enable-cors": true to SensorThingsServer's keycloak.json but sadly, to no avail.

EDIT: My frontend client is very simple, just this, using keycloak's adapter. It fails on the AJAX call:

<script type="text/javascript" src="https://code.jquery.com/jquery-3.2.1.min.js"></script>
<script type="text/javascript" src="http://localhost:8081/auth/js/keycloak.js"></script>
<script type="text/javascript">
    var keycloak = Keycloak('keycloak.json');
        keycloak.init({ onLoad: 'login-required' }).success(function(authenticated) {
            if (authenticated) {
                $.ajax({
                    method: "GET",
                    url: "http://localhost:8080/sensorthings/v1.0/Things",
                    headers: {
                        'Authorization': 'Bearer ' + keycloak.token
                    }
                }).done(function(msg) {
                    console.log(msg);
                });
            }
        });
</script>

Have you ever had an issue with this or do you have any idea what I could be doing wrong?

Thank you again for your time :)

from frost-server.

I've had to add the cors filter settings to the tomcat global web.xml. If they where in the application web.xml they would not work for me.

I also noticed that the security constraints needed some improvements, so I've updated those in the keycloak branch.

After that it worked.

from frost-server.

Indeed applying CORS settings in the global web.xml worked perfectly.

Thank you for the update as well 👍

from frost-server.