Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Solving "HTTP 401 Unauthorized" #5

Closed
nefarius opened this issue Nov 16, 2022 · 11 comments
Closed

Solving "HTTP 401 Unauthorized" #5

nefarius opened this issue Nov 16, 2022 · 11 comments

Comments

@nefarius
Copy link

Hi Team!

Am currently testing this with Keycloak 19.0.2 but for example trying to invoke /realms/master/webhooks (or any other routes) only leads to a An internal server error has occurred message and no console log. Is there a more verbose log level? Or additional configuration required besides just putting the JAR file in the appropriate place?

Thanks!
@nefarius
Copy link
Author

Alright, giving it --log-level=DEBUG revealed more information:

2022-11-16 14:56:23,846 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-0) new JtaTransactionWrapper
2022-11-16 14:56:23,846 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-0) was existing? false
2022-11-16 14:56:23,847 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-0) JtaTransactionWrapper  commit
2022-11-16 14:56:23,847 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-0) JtaTransactionWrapper end
2022-11-16 14:56:23,847 DEBUG [org.keycloak.services.scheduled.ScheduledTaskRunner] (Timer-0) Executed scheduled task AbstractLastSessionRefreshStoreFactory$$Lambda$1211/0x0000000840b9b440
2022-11-16 14:56:25,822 DEBUG [io.quarkus.vertx.http.runtime.ForwardedParser] (vert.x-eventloop-thread-1) Recalculated absoluteURI to http://devserver:5011/realms/master/webhooks
2022-11-16 14:56:25,823 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-6) new JtaTransactionWrapper
2022-11-16 14:56:25,823 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-6) was existing? false
2022-11-16 14:56:25,826 DEBUG [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] (executor-thread-6) `hibernate.connection.provider_disables_autocommit` was enabled.  This setting should only be enabled when you are certain that the Connections given to Hibernate by the ConnectionProvider have auto-commit disabled.  Enabling this setting when the Connections do not have auto-commit disabled will lead to Hibernate executing SQL operations outside of any JDBC/SQL transaction.
2022-11-16 14:56:25,826 DEBUG [org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl] (executor-thread-6) Hibernate RegisteredSynchronization successfully registered with JTA platform
2022-11-16 14:56:25,826 DEBUG [org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-6) Error response 401: javax.ws.rs.NotAuthorizedException: HTTP 401 Unauthorized
      at io.phasetwo.keycloak.resources.AbstractAdminResource.authenticateRealmAdminRequest(AbstractAdminResource.java:77)
      at io.phasetwo.keycloak.resources.AbstractAdminResource.setupAuth(AbstractAdminResource.java:62)
      at io.phasetwo.keycloak.resources.AbstractAdminResource.setup(AbstractAdminResource.java:42)
      at io.phasetwo.keycloak.resources.WebhooksResourceProvider.getResource(WebhooksResourceProvider.java:26)
      at org.keycloak.services.resources.RealmsResource.resolveRealmExtension(RealmsResource.java:298)
      at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
      at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      at java.base/java.lang.reflect.Method.invoke(Method.java:566)
      at org.jboss.resteasy.core.ResourceLocatorInvoker.constructLocator(ResourceLocatorInvoker.java:107)
      at org.jboss.resteasy.core.ResourceLocatorInvoker.resolveTargetFromLocator(ResourceLocatorInvoker.java:87)
      at org.jboss.resteasy.core.ResourceLocatorInvoker.resolveTarget(ResourceLocatorInvoker.java:76)
      at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:137)
      at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:32)
      at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:492)
      at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:261)
      at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:161)
      at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:364)
      at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:164)
      at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:247)
      at io.quarkus.resteasy.runtime.standalone.RequestDispatcher.service(RequestDispatcher.java:73)
      at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.dispatch(VertxRequestHandler.java:151)
      at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.handle(VertxRequestHandler.java:82)
      at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.handle(VertxRequestHandler.java:42)
      at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1212)
      at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:163)
      at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:141)
      at io.quarkus.vertx.http.runtime.StaticResourcesRecorder$2.handle(StaticResourcesRecorder.java:67)
      at io.quarkus.vertx.http.runtime.StaticResourcesRecorder$2.handle(StaticResourcesRecorder.java:55)
      at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1212)
      at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:163)
      at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:141)
      at io.quarkus.vertx.http.runtime.VertxHttpRecorder$5.handle(VertxHttpRecorder.java:380)
      at io.quarkus.vertx.http.runtime.VertxHttpRecorder$5.handle(VertxHttpRecorder.java:358)
      at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1212)
      at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:163)
      at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:141)
      at org.keycloak.quarkus.runtime.integration.web.QuarkusRequestFilter.lambda$createBlockingHandler$1(QuarkusRequestFilter.java:90)
      at io.vertx.core.impl.ContextImpl.lambda$null$0(ContextImpl.java:159)
      at io.vertx.core.impl.AbstractContext.dispatch(AbstractContext.java:100)
      at io.vertx.core.impl.ContextImpl.lambda$executeBlocking$1(ContextImpl.java:157)
      at io.quarkus.vertx.core.runtime.VertxCoreRecorder$13.runWith(VertxCoreRecorder.java:545)
      at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2449)
      at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1478)
      at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
      at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
      at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
      at java.base/java.lang.Thread.run(Thread.java:829)

2022-11-16 14:56:25,829 DEBUG [freemarker.cache] (executor-thread-6) Couldn't find template in cache for "error.ftl"("en_US", UTF-8, parsed); will try to load it.
2022-11-16 14:56:25,829 DEBUG [freemarker.cache] (executor-thread-6) TemplateLoader.findTemplateSource("error_en_US.ftl"): Not found
2022-11-16 14:56:25,829 DEBUG [freemarker.cache] (executor-thread-6) TemplateLoader.findTemplateSource("error_en.ftl"): Not found
2022-11-16 14:56:25,829 DEBUG [freemarker.cache] (executor-thread-6) TemplateLoader.findTemplateSource("error.ftl"): Found
2022-11-16 14:56:25,830 DEBUG [freemarker.cache] (executor-thread-6) Loading template for "error.ftl"("en_US", UTF-8, parsed) from "jar:file:/opt/keycloak/lib/lib/main/org.keycloak.keycloak-themes-19.0.2.jar!/theme/base/login/error.ftl"
2022-11-16 14:56:25,833 DEBUG [freemarker.cache] (executor-thread-6) Couldn't find template in cache for "template.ftl"("en_US", UTF-8, parsed); will try to load it.
2022-11-16 14:56:25,833 DEBUG [freemarker.cache] (executor-thread-6) TemplateLoader.findTemplateSource("template_en_US.ftl"): Not found
2022-11-16 14:56:25,833 DEBUG [freemarker.cache] (executor-thread-6) TemplateLoader.findTemplateSource("template_en.ftl"): Not found
2022-11-16 14:56:25,834 DEBUG [freemarker.cache] (executor-thread-6) TemplateLoader.findTemplateSource("template.ftl"): Found
2022-11-16 14:56:25,834 DEBUG [freemarker.cache] (executor-thread-6) Loading template for "template.ftl"("en_US", UTF-8, parsed) from "jar:file:/opt/keycloak/lib/lib/main/org.keycloak.keycloak-themes-19.0.2.jar!/theme/base/login/template.ftl"
2022-11-16 14:56:25,854 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-6) JtaTransactionWrapper rollback
2022-11-16 14:56:25,854 DEBUG [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] (executor-thread-6) Initiating JDBC connection release from afterTransaction
2022-11-16 14:56:25,854 DEBUG [org.hibernate.engine.transaction.internal.TransactionImpl] (executor-thread-6) On TransactionImpl creation, JpaCompliance#isJpaTransactionComplianceEnabled == false
2022-11-16 14:56:25,854 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-6) JtaTransactionWrapper end
2022-11-16 14:56:28,846 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-0) new JtaTransactionWrapper
2022-11-16 14:56:28,846 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-0) was existing? false
2022-11-16 14:56:28,846 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-0) JtaTransactionWrapper  commit
2022-11-16 14:56:28,847 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-0) JtaTransactionWrapper end
2022-11-16 14:56:28,847 DEBUG [org.keycloak.services.scheduled.ScheduledTaskRunner] (Timer-0) Executed scheduled task AbstractLastSessionRefreshStoreFactory$$Lambda$1211/0x0000000840b9b440
2022-11-16 14:56:33,846 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-0) new JtaTransactionWrapper
2022-11-16 14:56:33,846 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-0) was existing? false
2022-11-16 14:56:33,846 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-0) JtaTransactionWrapper  commit
2022-11-16 14:56:33,846 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-0) JtaTransactionWrapper end
2022-11-16 14:56:33,846 DEBUG [org.keycloak.services.scheduled.ScheduledTaskRunner] (Timer-0) Executed scheduled task AbstractLastSessionRefreshStoreFactory$$Lambda$1211/0x0000000840b9b440

Using a REST client I now also see the issue:

{
	"error": "HTTP 401 Unauthorized"
}

I wonder why... 🤔

@xgp
Copy link
Member

xgp commented Nov 16, 2022

You have to call the endpoint with an access token. The authenticated user must have the view-events and manage-events roles

https://github.com/p2-inc/keycloak-events#managing-webhook-subscriptions

If you can show a full request (curl or something similar), that will help debugging.

@nefarius
Copy link
Author

nefarius commented Nov 16, 2022
edited
Loading

You have to call the endpoint with an access token. The authenticated user must have the view-events and manage-events roles

Goodness, yes, ofc. sorry, my bad. Did so now! One step further but a different error now 😅

Getting token

image

Attempting getting Webhooks

image

Server console

2022-11-16 15:28:23,965 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-0) new JtaTransactionWrapper
2022-11-16 15:28:23,966 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-0) was existing? false
2022-11-16 15:28:23,966 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-0) JtaTransactionWrapper  commit
2022-11-16 15:28:23,966 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-0) JtaTransactionWrapper end
2022-11-16 15:28:23,966 DEBUG [org.keycloak.services.scheduled.ScheduledTaskRunner] (Timer-0) Executed scheduled task AbstractLastSessionRefreshStoreFactory$$Lambda$1211/0x0000000840b9b440
2022-11-16 15:28:25,573 DEBUG [io.quarkus.vertx.http.runtime.ForwardedParser] (vert.x-eventloop-thread-3) Recalculated absoluteURI to http://devserver:5011/realms/CENSORED/webhooks
2022-11-16 15:28:25,573 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-23) new JtaTransactionWrapper
2022-11-16 15:28:25,573 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-23) was existing? false
2022-11-16 15:28:25,575 DEBUG [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] (executor-thread-23) `hibernate.connection.provider_disables_autocommit` was enabled.  This setting should only be enabled when you are certain that the Connections given to Hibernate by the ConnectionProvider have auto-commit disabled.  Enabling this setting when the Connections do not have auto-commit disabled will lead to Hibernate executing SQL operations outside of any JDBC/SQL transaction.
2022-11-16 15:28:25,575 DEBUG [org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl] (executor-thread-23) Hibernate RegisteredSynchronization successfully registered with JTA platform
2022-11-16 15:28:25,577 DEBUG [io.phasetwo.keycloak.config.RealmAttributesConfigLoader] (executor-thread-23) loading configurations for realm=CENSORED, provider=ext-event-http. using query _providerConfig.ext-event-http
2022-11-16 15:28:25,577 DEBUG [org.hibernate.SQL] (executor-thread-23) select realmattri0_.NAME as name1_46_, realmattri0_.REALM_ID as realm_id3_46_, realmattri0_.VALUE as value2_46_ from REALM_ATTRIBUTE realmattri0_ where realmattri0_.NAME like ? order by realmattri0_.NAME
2022-11-16 15:28:25,578 FINE  [org.postgresql.jdbc.PgConnection] (executor-thread-23)   setAutoCommit = false
2022-11-16 15:28:25,579 DEBUG [io.phasetwo.keycloak.config.RealmAttributesConfigLoader] (executor-thread-23) loading configurations for realm=CENSORED, provider=ext-event-script. using query _providerConfig.ext-event-script
2022-11-16 15:28:25,579 DEBUG [org.hibernate.SQL] (executor-thread-23) select realmattri0_.NAME as name1_46_, realmattri0_.REALM_ID as realm_id3_46_, realmattri0_.VALUE as value2_46_ from REALM_ATTRIBUTE realmattri0_ where realmattri0_.NAME like ? order by realmattri0_.NAME
2022-11-16 15:28:25,582 DEBUG [org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-23) Error response 403: org.keycloak.services.ForbiddenException
      at org.keycloak.services.resources.admin.permissions.RealmPermissions.requireViewEvents(RealmPermissions.java:182)
      at io.phasetwo.keycloak.resources.WebhooksResource.getWebhooks(WebhooksResource.java:37)
      at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
      at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      at java.base/java.lang.reflect.Method.invoke(Method.java:566)
      at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:170)
      at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:130)
      at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:660)
      at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:524)
      at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$2(ResourceMethodInvoker.java:474)
      at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:364)
      at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:476)
      at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:434)
      at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:192)
      at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:141)
      at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:32)
      at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:492)
      at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:261)
      at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:161)
      at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:364)
      at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:164)
      at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:247)
      at io.quarkus.resteasy.runtime.standalone.RequestDispatcher.service(RequestDispatcher.java:73)
      at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.dispatch(VertxRequestHandler.java:151)
      at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.handle(VertxRequestHandler.java:82)
      at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.handle(VertxRequestHandler.java:42)
      at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1212)
      at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:163)
      at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:141)
      at io.quarkus.vertx.http.runtime.StaticResourcesRecorder$2.handle(StaticResourcesRecorder.java:67)
      at io.quarkus.vertx.http.runtime.StaticResourcesRecorder$2.handle(StaticResourcesRecorder.java:55)
      at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1212)
      at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:163)
      at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:141)
      at io.quarkus.vertx.http.runtime.VertxHttpRecorder$5.handle(VertxHttpRecorder.java:380)
      at io.quarkus.vertx.http.runtime.VertxHttpRecorder$5.handle(VertxHttpRecorder.java:358)
      at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1212)
      at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:163)
      at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:141)
      at org.keycloak.quarkus.runtime.integration.web.QuarkusRequestFilter.lambda$createBlockingHandler$1(QuarkusRequestFilter.java:90)
      at io.vertx.core.impl.ContextImpl.lambda$null$0(ContextImpl.java:159)
      at io.vertx.core.impl.AbstractContext.dispatch(AbstractContext.java:100)
      at io.vertx.core.impl.ContextImpl.lambda$executeBlocking$1(ContextImpl.java:157)
      at io.quarkus.vertx.core.runtime.VertxCoreRecorder$13.runWith(VertxCoreRecorder.java:545)
      at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2449)
      at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1478)
      at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
      at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
      at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
      at java.base/java.lang.Thread.run(Thread.java:829)

2022-11-16 15:28:25,584 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-23) JtaTransactionWrapper rollback
2022-11-16 15:28:25,584 FINE  [org.postgresql.jdbc.PgConnection] (executor-thread-23)   setAutoCommit = true
2022-11-16 15:28:25,585 DEBUG [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] (executor-thread-23) Initiating JDBC connection release from afterTransaction
2022-11-16 15:28:25,585 DEBUG [org.hibernate.engine.transaction.internal.TransactionImpl] (executor-thread-23) On TransactionImpl creation, JpaCompliance#isJpaTransactionComplianceEnabled == false
2022-11-16 15:28:25,585 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-23) JtaTransactionWrapper end

User roles

image

Appreciate the help!

@xgp
Copy link
Member

xgp commented Nov 16, 2022

Are the roles mapped into the token? Go to jwt.io and decode your token to see. If not, you need to make sure you're mapping the roles into the token in your webhooks-receiver Client.

@nefarius
Copy link
Author

Are the roles mapped into the token? Go to jwt.io and decode your token to see.

Ah brilliant, that was the missing piece! Gotta document the whole procedure 😅 Thanks a ton, now I can start tinkering with the actual features 🥳

Client service account roles

image

Decoded token

{
  "exp": 1668613530,
  "iat": 1668613470,
  "jti": "dd13337a-5bf8-495a-b0ee-f24447a6276b",
  "iss": "https://devserver/realms/master",
  "aud": [
    "CENSORED-realm",
    "master-realm",
    "account"
  ],
  "sub": "efad3d71-e455-4c8b-a920-6926d9a380b6",
  "typ": "Bearer",
  "azp": "webhooks-receiver",
  "acr": "1",
  "realm_access": {
    "roles": [
      "default-roles-master",
      "offline_access",
      "uma_authorization"
    ]
  },
  "resource_access": {
    "CENSORED-realm": {
      "roles": [
        "manage-events",
        "view-events",
        "publish-events"
      ]
    },
    "master-realm": {
      "roles": [
        "manage-events",
        "view-events",
        "publish-events"
      ]
    },
    "account": {
      "roles": [
        "manage-account",
        "manage-account-links",
        "view-profile"
      ]
    }
  },
  "scope": "email profile",
  "clientHost": "127.0.0.1",
  "clientId": "webhooks-receiver",
  "email_verified": false,
  "preferred_username": "service-account-webhooks-receiver",
  "clientAddress": "127.0.0.1"
}

REST Client Test

image

@nefarius nefarius changed the title How to enable more vebose logging? Solving "HTTP 401 Unauthorized" Nov 16, 2022
@xgp xgp mentioned this issue Nov 16, 2022
Closed
@xgp
Copy link
Member

xgp commented Nov 16, 2022

@nefarius Thanks for your patience and clear communication. Please let me know if you encounter any other issues.

@nkreiger
Copy link

nkreiger commented Nov 20, 2022
edited
Loading

@nefarius I am struggling through this same issue...

{
  "exp": 1669057923,
  "iat": 1668971523,
  "jti": "d0354f08-d737-46a3-9150-c0bf6d732f7c",
  "iss": "**",
  "aud": "account",
  "sub": "9623a24e-9bc6-4818-b6ac-1459e4add633",
  "typ": "Bearer",
  "azp": "**-mgmt",
  "acr": "1",
  "realm_access": {
    "roles": [
      "manage-events",
      "view-events",
      "default-roles-fianu",
      "offline_access",
      "uma_authorization"
    ]
  },
  "resource_access": {
    "**-mgmt": {
      "roles": [
        "manage-events",
        "view-events"
      ]
    },
    "account": {
      "roles": [
        "manage-account",
        "manage-events",
        "view-events",
        "manage-account-links",
        "view-profile"
      ]
    }
  },
  "scope": "profile email",
  "email_verified": false,
  "clientHost": "**",
  "clientId": "**-mgmt",
  "preferred_username": "service-account-fianu-mgmt",
  "clientAddress": "**"
}

It appears the correct roles are found, I can see my serive account user under those roles in the realm, but I am still getting the 401 unauthorized. Any idea what I am missing?

@nkreiger
Copy link

nkreiger commented Nov 20, 2022
edited
Loading

UPDATE: I believe I was a passing in the access token wrong.

Now I am passing it in the GET request to list webhooks properly, but I am getting an unknown error forbidden.

curl --location --request GET 'https://demo.fianu.io/auth/realms/fianu/webhooks' \
--header 'Authorization: Bearer my token' \
--header 'Content-Type: application/json' \
--data-raw '{
  "enabled": "true",
  "url": "https://webhook.site/317996ae-79c9-4f79-b5aa-e9c09cea277a",
  "secret": "****",
  "eventTypes": [
    "*"
  ]
}'

I am using the client secret from the Client ID, I couldn't find a realm level secret, am I missing something there?

@nefarius
Copy link
Author

Are you sure the token works? Can you try it with some of the core Admin REST API like fetching details for a user?

@nkreiger
Copy link

@nefarius I figured it out!

I misread the documentation, I was doing all of this in a custom realm, when I see that I should've been creating a client and assigning the SA and roles in the Master realm

@nkreiger
Copy link

I was creating the roles view-events ...etc in the custom realm, I didn't realize these were pre-defined, at the master when you create a new realm, sorry to bother, thanks for the quick response!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@xgp @nefarius @nkreiger