Hello there !
So I am new using KeyCloak and I have been struggling creating a web app with Spring Boot and secured with KeyCloak. This is just a test app for me to learn how to use KeyCloak.
What I have done yet :
created a Key Cloak image with Docker using the Kitematic interface (works fine as far as I know)
configured KeyCloak through the web interface (adding a realm, realm roles, client, client roles, users and matching all the roles and users as I wanted)
Generated the web app from Spring Boot (while including the Web/Security/Boot DevTools dependencies)
Configured the app (in Java 11) to add the KeyCloak 10.0.2 dependencies and properties. Also, created a test controller to test basic GET request with postman.
What is my issue :
I can’t get anything else than the error 401 (unauthorized, which may come because I don’t send an authentication token with the request).
What I tried :
So I made simple GET requests without any authentications, then I got the access-token of a user who had all roles (so all rights) and tried the request again with it, without success.
Another thing is that while I implemented the @RolesAllowed functionality, I did not use it yet. So from what I understood, I should be able to make a request even without any authentication …
Now I think I found something like 20min ago : while recreating the whole project again to check if I did something wrong, I noticed that I couldn’t make any request without having the error 401 even before implementing the KeyCloak dependencies. And I achieved to get my requests to work perfectly by deleting the spring-boot-starter-security dependency.
Also, I don’t know if everything works well with KeyCloak, but I know that at least part of the issue is related to that. Bad news is that as far as I’m concerned, I’ll need this line to configure KeyCloak.
Again, I’m a beginner with KeyCloak and app security in general so excuse me if my questions/explanations are a bit hazy, and thanks a lot for helping me !
The roles I used weren’t the good ones : In the code above, you can see that I used the roles “app-user” and “app-admin”. Those are my realm’s roles, at first I was using the client’s role but apparently I had to use the realm’s role.
I’m still not convinced of the KeyCloak’s devs’ reasons behind this choice, and I would be curious if anyone could explain it to me.
In the mean time, sorry zonaut, it seems like it wasn’t a CORS problem as you said, but thanks a lot though, as your answers gave me the motivation to keep on looking for my mistake !
Can you tell me the flow? I use client “admin-cli” as this tutorial wrote. And I read someone told on stackoverflow that the user at least need to have a manage-users role. I really appreciate any help, thanks!
Truly sorry for answering so lately, sadly I’m afraid it won’t change much.
I started working on keyCloak in the beginning of my job and quickly moved to another project, so I haven’t done much with keyCloak than what’s written on this topic.
Also, I checked what was happening on my side by following the tutorial you linked, but I obviously get the exact same error as you …
Don’t have much time to look for it this week (and I sure hope you already figured it out …), but if I come back to it at some point and solve the issue, I’ll make sure to post an explanation there.
Sorry for not being able to help, and good luck to you !
I know i’m very late in replying, but found a solution for this issue.
Admins need the role “manage-users” in Keycloak under Role Mappings > Client Roles > Realm-Management.
Admins with this role may also assign this role to other users, but only this role.
This role gives the user full access to the users in their realm and their group administration.
So assign the below roles in Client Roles > realm-management, to your user along with “view-users”:
@cheKeycloak I am running into same issue like you. I am new to keycloak. I want to create client, enable and disable it based on some business logic. I have keycloak setup locally. I created a realm, create initial access token and following the rest api’s KeycloakRestAPI
No matter what I do I keep on getting 401 its being 2 days now I am still struggling. I came across your solution. I have set realm roles for now to test client creation only. Any idea what are probable issues for 401 incase of dynamic client creation.