I am trying to access a protected servlet(whoAmI) which require xyz role.
Using keycloak as openid provider, this is my openid-connect configuration
<openidConnectClient id="RP" scope="openid" signatureAlgorithm="RS256"
clientId="liberty" clientSecret="secret"
discoveryEndpointUrl="https://localhost:8243/auth/realms/abc/.well-known/openid-configuration"
userIdentityToCreateSubject="id"
groupIdentifier="groupof"
realmName="abc"
/>
<application type="ear" location="/opt/was-services.ear"></application>
This is my web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp_ID" version="3.0" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<session-config>
<session-timeout>60</session-timeout>
</session-config>
<servlet>
<servlet-name>abcServlet</servlet-name>
<servlet-class>com.ABCServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>abcServlet</servlet-name>
<url-pattern>/abc</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>secure</web-resource-name>
<url-pattern>/abc</url-pattern>
</web-resource-collection>
<auth-constraint>
<description></description>
<role-name>test</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/login.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>test</description>
<role-name>test</role-name>
</security-role>
</web-app>
ear META-INF/ibm-application-bnd.xml
<?xml version="1.0" encoding="UTF-8"?>
<application-bnd xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://websphere.ibm.com/xml/ns/javaee http://websphere.ibm.com/xml/ns/javaee/ibm-application-bnd_1_2.xsd"
xmlns="http://websphere.ibm.com/xml/ns/javaee"
version="1.2">
<security-role name="test">
<group name="gpTest"/>
</security-role>
</application-bnd>
While accessing the servlet, it redirecting me to keycloak login page and after successful login redirected me back to servlet path, but giving error Error 403: AuthorizationFailed
The user is not granted access to any of the required roles: [test]
Liberty accepted access-token & created session, i can see WAS_p158005998 cookie in browser.
Somehow authorisation failing. Not sure how to map keycloak groups to liberty.
Both accessToken & idToken contain id & groupof(array) fields like below.
{
"id": "user1",
"groupof": [
"gpTest",
"gpTest2"
]
}
Do I need to map any registry? or is my application binding is wrong (i tried direct group name gpTest, but no use)?
In your application-bnd.xml file, I think the group element needs an access-id attribute as noted here