I have a NestJS REST API. I try to use Keycloak as Authorization Services. I want to secure the endpoints of my REST API with resources, scopes and permissions.
The problem is, I get a 403 Forbidden Resource Error on every request. I try to explain my whole configuration with a lot of images. Am I missing something or have I misunderstood something?
Keycloak Configuration
Evaluation To test my configuration I use the internal evaluation tool. I have the user: "testcustomer" who is member of the group: Testproject. Therefore he should have access to the resource. The evaluation shows, it's working correctly:
REST API:
In my NestJs REST API I'm using the
My Test-Controller
My understanding of the package: When a user (in this case the testcustomer) sends a request to the API to the following URI: "http://localhost:3002/api/test/test", the resource from Keycloak is associated with it. And the testcustomer is authorized to call this endpoint. Other users who are not in the Testproject group will get a 403 Forbidden response.
The problem is that I always get a 403 error no matter if my user is in the group and it doesn't even matter if the resource exists in Keycloak at all.
Note: General authentication or even authorization via roles works.
CodePudding user response:
thanks to the owner of the package I got the answer:
https://github.com/ferrerojosh/nest-keycloak-connect/issues/137
His answer/ solution:
Ah I think its due to the fact your scopes have the :
character in it.
If you think of the file in the official keycloak-connect
library:
https://github.com/keycloak/keycloak-nodejs-connect/blob/f8e397cd7a1a763db5a45a07c3c3e40fec5cf8f2/middleware/enforcer.js#L18-L33
It splits off permission which is permission:scope
by simply a split :
.
What happened here is that the underyling keycloak-connect
library receives a string of File:files:read
and it gets sent to the keycloak enforcer as the resource File
with the scope files
.
tldr; the solution is to remove the :
character in your scope. If it doesn't work out for you, you can submit a ticket to the keycloak-connect
team as I do not have control over this behavior.