Forbidden Error for Account with Full Access

Trevor Fong

unread,

Aug 4, 2021, 8:30:54 PM8/4/21

to Keycloak User

Hi Everyone,

I'm suddenly having a very weird error where all master accounts which have Full Access to everything, are suddenly getting "Forbidden You don't have access to the requested resource" errors whenever they do something like Save updates to a Client or Realm or add a new Identity Provider. Putting all logging into DEBUG doesn't seem to reveal any smoking guns...

Has anyone seen anything like this before or is able to offer any suggestions?

Thanks a lot,

Trev

Trevor Fong

unread,

Aug 4, 2021, 8:46:50 PM8/4/21

to Keycloak User

Further to my message:

- I don't have a clue what cause it

- Here's a sample log from me trying to update the description of a Client:

I've highlighted the part when the browser seems to get redirected to the Forbidden page.
The line immediately before is presumably from when I fail the access test or whatever

2021-08-04 08:46:41,767 DEBUG [io.undertow.request] (default I/O-1) Matched prefix path /auth for path /auth/realms/master/protocol/openid-connect/token

2021-08-04 08:46:41,768 DEBUG [io.undertow.request.security] (default task-12) Attempting to authenticate /auth/realms/master/protocol/openid-connect/token, authentication required: false

2021-08-04 08:46:41,768 DEBUG [io.undertow.request.security] (default task-12) Authentication outcome was NOT_ATTEMPTED with method io.undertow.security.impl.CachedAuthenticatedSessionMechanism@<redacted> for /auth/realms/master/protocol/openid-connect/token

2021-08-04 08:46:41,768 DEBUG [io.undertow.request.security] (default task-12) Authentication result was ATTEMPTED for /auth/realms/master/protocol/openid-connect/token

2021-08-04 08:46:41,768 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-12) new JtaTransactionWrapper

2021-08-04 08:46:41,768 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-12) was existing? false

2021-08-04 08:46:41,769 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-12) RESTEASY002315: PathInfo: /realms/master/protocol/openid-connect/token

2021-08-04 08:46:41,769 DEBUG [org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl] (default task-12) Hibernate RegisteredSynchronization successfully registered with JTA platform

2021-08-04 08:46:41,770 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-12) AUTHENTICATE CLIENT

2021-08-04 08:46:41,771 DEBUG [org.keycloak.authentication.ClientAuthenticationFlow] (default task-12) client authenticator: client-secret

2021-08-04 08:46:41,771 DEBUG [org.keycloak.authentication.ClientAuthenticationFlow] (default task-12) client authenticator SUCCESS: client-secret

2021-08-04 08:46:41,771 DEBUG [org.keycloak.authentication.ClientAuthenticationFlow] (default task-12) Client security-admin-console authenticated by client-secret

2021-08-04 08:46:41,771 DEBUG [org.keycloak.protocol.oidc.utils.RedirectUtils] (default task-12) replacing relative valid redirect with: https://xyz.com/auth/admin/master/console/*

2021-08-04 08:46:41,772 DEBUG [org.hibernate.SQL] (default task-12)

select

clientscop0_.ID as ID1_12_0_,

clientscop0_.DESCRIPTION as DESCRIPTION2_12_0_,

clientscop0_.NAME as NAME3_12_0_,

clientscop0_.PROTOCOL as PROTOCOL4_12_0_,

clientscop0_.REALM_ID as REALM_ID5_12_0_

from

CLIENT_SCOPE clientscop0_

where

clientscop0_.ID=?

2021-08-04 08:46:41,774 DEBUG [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] (default task-12) Initiating JDBC connection release from afterStatement

2021-08-04 08:46:41,775 DEBUG [org.hibernate.loader.entity.plan.AbstractLoadPlanBasedEntityLoader] (default task-12) Done entity load : org.keycloak.models.jpa.entities.ClientScopeEntity#<redacted>

2021-08-04 08:46:41,775 DEBUG [org.keycloak.protocol.oidc.utils.RedirectUtils] (default task-12) replacing relative valid redirect with: https://xyz.com/auth/admin/master/console/*

2021-08-04 08:46:41,798 DEBUG [org.keycloak.services.resources.Cors] (default task-12) Added CORS headers to response

2021-08-04 08:46:41,799 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-12) MessageBodyWriter: org.jboss.resteasy.spi.ResteasyProviderFactory$SortedKey

2021-08-04 08:46:41,799 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-12) MessageBodyWriter: org.jboss.resteasy.plugins.providers.jackson.ResteasyJackson2Provider

2021-08-04 08:46:41,799 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-12) Interceptor Context: org.jboss.resteasy.core.interception.ServerWriterInterceptorContext, Method : proceed

2021-08-04 08:46:41,799 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-12) WriterInterceptor: org.jboss.resteasy.security.doseta.DigitalSigningInterceptor

2021-08-04 08:46:41,799 DEBUG [org.jboss.resteasy.security.doseta.i18n] (default task-12) Interceptor : org.jboss.resteasy.security.doseta.DigitalSigningInterceptor, Method : aroundWriteTo

2021-08-04 08:46:41,799 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-12) Interceptor Context: org.jboss.resteasy.core.interception.ServerWriterInterceptorContext, Method : proceed

2021-08-04 08:46:41,799 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-12) MessageBodyWriter: org.jboss.resteasy.spi.ResteasyProviderFactory$SortedKey

2021-08-04 08:46:41,799 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-12) MessageBodyWriter: org.jboss.resteasy.plugins.providers.jackson.ResteasyJackson2Provider

2021-08-04 08:46:41,799 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-12) Provider : org.jboss.resteasy.plugins.providers.jackson.ResteasyJackson2Provider, Method : writeTo

2021-08-04 08:46:41,799 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-12) JtaTransactionWrapper commit

2021-08-04 08:46:41,799 DEBUG [org.hibernate.engine.transaction.internal.TransactionImpl] (default task-12) On TransactionImpl creation, JpaCompliance#isJpaTransactionComplianceEnabled == false

2021-08-04 08:46:41,801 DEBUG [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] (default task-12) Initiating JDBC connection release from afterTransaction

2021-08-04 08:46:41,801 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-12) JtaTransactionWrapper end

2021-08-04 08:46:41,801 INFO [org.keycloak.events] (default task-12) type=REFRESH_TOKEN, realmId=master, clientId=security-admin-console, userId=1dd0ba0f-2921-456c-9b4e-98e58170a8ee, ipAddress=<redacted>, token_id=ed271d4b-515f-469a-8ef7-d480fd49829d, grant_type=refresh_token,refresh_token_type=Refresh, updated_refresh_token_id=88a51e40-76dc-4a5e-a4fe-37fe9444bd53, scope='openid profile email', refresh_token_id=94fbebb0-bbab-4d62-8fa0-56152b8497cc, client_auth_method=client-secret

2021-08-04 08:46:42,074 DEBUG [io.undertow.request] (default I/O-1) Matched prefix path /auth for path /auth/resources/1dy3d/admin/keycloak/partials/forbidden.html

2021-08-04 08:46:42,074 DEBUG [io.undertow.request.security] (default task-12) Attempting to authenticate /auth/resources/1dy3d/admin/keycloak/partials/forbidden.html, authentication required: false

2021-08-04 08:46:42,074 DEBUG [io.undertow.request.security] (default task-12) Authentication outcome was NOT_ATTEMPTED with method io.undertow.security.impl.CachedAuthenticatedSessionMechanism@<redacted> for /auth/resources/1dy3d/admin/keycloak/partials/forbidden.html

2021-08-04 08:46:42,074 DEBUG [io.undertow.request.security] (default task-12) Authentication result was ATTEMPTED for /auth/resources/1dy3d/admin/keycloak/partials/forbidden.html

2021-08-04 08:46:42,075 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-12) new JtaTransactionWrapper

2021-08-04 08:46:42,075 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-12) was existing? false

Thanks everyone,

Trev

Trevor Fong

unread,

Aug 4, 2021, 8:48:52 PM8/4/21

to Keycloak User

I'm running v13.0.1

Trevor Fong

unread,

Aug 5, 2021, 8:36:00 PM8/5/21

to Keycloak User

OMG - it was the WAF getting triggered on a false positive for Remote File Inclusion exploits and blocking the update API, presenting a 403 error.