Always receiving error 401 from web app using KeyCloak

Hello there !
So I am new using KeyCloak and I have been struggling creating a web app with Spring Boot and secured with KeyCloak. This is just a test app for me to learn how to use KeyCloak.
What I have done yet :

  • created a Key Cloak image with Docker using the Kitematic interface (works fine as far as I know)
  • configured KeyCloak through the web interface (adding a realm, realm roles, client, client roles, users and matching all the roles and users as I wanted)
  • Generated the web app from Spring Boot (while including the Web/Security/Boot DevTools dependencies)
  • Configured the app (in Java 11) to add the KeyCloak 10.0.2 dependencies and properties. Also, created a test controller to test basic GET request with postman.

What is my issue :
I can’t get anything else than the error 401 (unauthorized, which may come because I don’t send an authentication token with the request).

What I tried :
So I made simple GET requests without any authentications, then I got the access-token of a user who had all roles (so all rights) and tried the request again with it, without success.
Another thing is that while I implemented the @RolesAllowed functionality, I did not use it yet. So from what I understood, I should be able to make a request even without any authentication …

Interesting point :
I found a very similar topic on stackOverflow : https://stackoverflow.com/questions/46882610/keycloak-api-always-returns-401 but I am not sure that it corresponds to my issue and I can’t understand the answers given …

Here are a few screenshots that may be relevant (first time posting here, I apologize in advance if it doesn’t work, also I can’t post more than one image :confused: ) :
the controller configuration :

I have been stuck on this issue for more than 2 days and reached the point where I have absolutely no idea about where it is from, so any help, even just new clues to dig would be very welcomed !

Putting at least one more image there that may be relevant :
the postman request with a valid authentication token
image
just tell me if you need any more (like the client configuration for example).

Maybe you can share the example on github so we can take a look at it. It’s just a guessing game like this.

Thanks a lot for answering !
Here is the repository : https://github.com/leomono35/KeyCloakError401
As I said, I quickly had the issue so there isn’t much in there.

Now I think I found something like 20min ago : while recreating the whole project again to check if I did something wrong, I noticed that I couldn’t make any request without having the error 401 even before implementing the KeyCloak dependencies. And I achieved to get my requests to work perfectly by deleting the spring-boot-starter-security dependency.

Also, I don’t know if everything works well with KeyCloak, but I know that at least part of the issue is related to that. Bad news is that as far as I’m concerned, I’ll need this line to configure KeyCloak.

Again, I’m a beginner with KeyCloak and app security in general so excuse me if my questions/explanations are a bit hazy, and thanks a lot for helping me !

On first glace it could be a CORS problem. Try setting a bean and check it again.
An example can be found on https://github.com/zonaut/templates/blob/master/java/spring-boot-mvc/src/main/java/com/zonaut/templates/sb/mvc/config/WebConfig.java

I “added” the bean and tried again but got the exact same issue (I updated the git repository : https://github.com/leomono35/KeyCloakError401/blob/master/src/main/java/keyCloakConfiguration/config/WebConfig.java).

I’m putting “” on added as I’m really not familiar with beans, and I may have implemented it wrong …
I’m currently looking for tutorials to learn more about that :confused:

Thanks again for your patience !

Alright ! It works !
I uploaded the git repository for anyone who would want a simple working project : https://github.com/leomono35/KeyCloakError401

Now what were the issues ?

  • The authorization configuration I found on some tutorials didn’t seem to work for me so I used something like that :

@Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
http.authorizeRequests()
.antMatchers("/test/anonymous").permitAll()
.antMatchers("/test/user").hasAnyRole(“app-user”)
.antMatchers("/test/admin").hasAnyRole(“app-admin”)
.antMatchers("/test/all-user").hasAnyRole(“app-user”,“app-admin”)
.anyRequest()
.permitAll();
http.csrf().disable();
}

  • The roles I used weren’t the good ones : In the code above, you can see that I used the roles “app-user” and “app-admin”. Those are my realm’s roles, at first I was using the client’s role but apparently I had to use the realm’s role.
    I’m still not convinced of the KeyCloak’s devs’ reasons behind this choice, and I would be curious if anyone could explain it to me.

In the mean time, sorry zonaut, it seems like it wasn’t a CORS problem as you said, but thanks a lot though, as your answers gave me the motivation to keep on looking for my mistake !

1 Like

@leomono35 if you use this property then you can use client role also.

keycloak.use-resource-role-mappings=true

can you make it work on the postman? I face this problem too. I use this to get the access token:

${host}/auth/realms/master/protocol/openid-connect/token (I can’t put multiple media as I’m a new user here)

and then I tried to create a new user, but it seems like I’m not authorized:

Can you tell me the flow? I use client “admin-cli” as this tutorial wrote. And I read someone told on stackoverflow that the user at least need to have a manage-users role. I really appreciate any help, thanks!

Hey !

Truly sorry for answering so lately, sadly I’m afraid it won’t change much.

I started working on keyCloak in the beginning of my job and quickly moved to another project, so I haven’t done much with keyCloak than what’s written on this topic.
Also, I checked what was happening on my side by following the tutorial you linked, but I obviously get the exact same error as you …

Don’t have much time to look for it this week (and I sure hope you already figured it out …), but if I come back to it at some point and solve the issue, I’ll make sure to post an explanation there.

Sorry for not being able to help, and good luck to you !

I know i’m very late in replying, but found a solution for this issue.
Admins need the role “manage-users” in Keycloak under Role Mappings > Client Roles > Realm-Management.
Admins with this role may also assign this role to other users, but only this role.
This role gives the user full access to the users in their realm and their group administration.
So assign the below roles in Client Roles > realm-management, to your user along with “view-users”:
image
This may save someone’s day!

@cheKeycloak I am running into same issue like you. I am new to keycloak. I want to create client, enable and disable it based on some business logic. I have keycloak setup locally. I created a realm, create initial access token and following the rest api’s KeycloakRestAPI
No matter what I do I keep on getting 401 its being 2 days now I am still struggling. I came across your solution. I have set realm roles for now to test client creation only. Any idea what are probable issues for 401 incase of dynamic client creation.

1 Like

Hey @ajkc ,

Try to toggle the these buttons to set Authorization (its from Clients > Settings), this will get rid of your 401 error.
Hope it helps!