nest-keycloak-connect icon indicating copy to clipboard operation
nest-keycloak-connect copied to clipboard

Published 20 hours ago verified publisher icon ferrerojosh

role doesn't match!

Open cybercoder opened this issue 2 years ago • 1 comments

I'm using in multi-tenant mode with bearerOnly: true I've registered the module like this:

import:

   KeycloakConnectModule.registerAsync({
      useFactory: (configService: ConfigService) => ({
        clientId: 'test',
        secret: 'test',
        authServerUrl: configService.get('KEYCLOAK_SERVER_URI'),
        policyEnforcement: PolicyEnforcementMode.PERMISSIVE,
        tokenValidation: TokenValidation.ONLINE,
        bearerOnly: true,
        multiTenant: {
          realmResolver: (request) => {
            return 'testTenant';
          },
          realmSecretResolver: (realm) => {
            return 'mysecret';
          },
        },
      }),
      inject: [ConfigService],
    }),

and providers:

  providers: [
    {
      provide: APP_GUARD,
      useClass: AuthGuard,
    },
    {
      provide: APP_GUARD,
      useClass: RoleGuard,
    },
  ],

The log shows everything is correct but resources are denied due to mismatched role(s). The example controller:

@Controller(':company')
@UseGuards(AuthGuard, RoleGuard)
export class CompanyController {
  @Get('/')
  @Roles({
    roles: ['admin'],
  })
  view(@Param('company') company: string) {
    return `your company is : ${company}`;
  }
}

The log shows:

[Nest] 23435  - 09/08/2022, 11:13:53 PM VERBOSE [Keycloak] Using token validation method: ONLINE
[Nest] 23435  - 09/08/2022, 11:13:53 PM VERBOSE [Keycloak] Authenticated User: {"exp":1662662924,"iat":1662662624,"jti":"13f4b99a-d5bb-4b5f-8fbd-2bffbbcc16ed","iss":"http://localhost:8080/realms/testrealm","aud":"account","sub":"ac10f640-535a-4658-8bcf-daac003e076c","typ":"Bearer","azp":"k","session_state":"66edf11e-e69b-42a9-a1cf-52988d5c9d51","acr":"1","realm_access":{"roles":["default-roles-testrealm","offline_access","admin","uma_authorization"]},"resource_access":{"account":{"roles":["manage-account","manage-account-links","view-profile"]}},"scope":"profile email","sid":"66edf11e-e69b-42a9-a1cf-52988d5c9d51","email_verified":true,"preferred_username":"[email protected]","given_name":"","family_name":"","email":"[email protected]"}
[Nest] 23435  - 09/08/2022, 11:13:53 PM VERBOSE [Keycloak] Controller has no @Resource defined, request allowed due to policy enforcement
[Nest] 23435  - 09/08/2022, 11:13:53 PM VERBOSE [Keycloak] Using matching mode: any
[Nest] 23435  - 09/08/2022, 11:13:53 PM VERBOSE [Keycloak] Roles: ["admin"]
[Nest] 23435  - 09/08/2022, 11:13:53 PM VERBOSE [Keycloak] Resource denied due to mismatched role(s)

As you see "realm_access":{"roles":["default-roles-testrealm","offline_access","admin","uma_authorization"]} But the role doesn't match.

Keycloak version: 19.0.1 NestJS core and common version: 9.0.0 nest-keycloak-connect version: 1.9.0

cybercoder avatar Sep 16 '22 21:09 cybercoder

It seems to be realm role, try prefixing it with realm: so it should be realm:admin

ferrerojosh avatar Sep 17 '22 18:09 ferrerojosh

Closed due to no response. Just tell me if you had issues.

ferrerojosh avatar Dec 16 '22 13:12 ferrerojosh

Having the same issue, any help? Thanks!

alminisl avatar May 16 '23 11:05 alminisl

It seems to be realm role, try prefixing it with realm: so it should be realm:admin

Tried this, did not work..

alminisl avatar May 16 '23 11:05 alminisl

For me worked:

  • activated full scooped on the client that will issue the token
  • create a User Realm Roles mapper with the token claim name "realm_access.roles" on the client that issue the token
  • adding "realm:" to the name of the role that will be compared

sauloarth avatar Jun 10 '24 14:06 sauloarth