Testing HTTP API with service user - getting 403 for some requests

niv · November 26, 2023, 6:42am

Hi, I am getting 403 for some operations with service user when consumig HTTP API e.g. thru Postman.

First of all: testing whole setup with swagger UI (using configured authorizationCode flow) works fine.

Since Swagger is not supporting client_credential flow I use Postman with service user, but get 403 trying to e.g. query existing asset. At the same time query asset is working fine.

Here my steps to reproduce:

Launched Openremote stack thru latest docker compose https://github.com/openremote/openremote/blob/master/docker-compose.yml
Openremote UI - created new service user, added all roles

Postman - configured Oauth 2.0 Authotization with “Client Credentials” grant type

Postman - retreived new token - OK
Postman - executed POST “asset/query” for existing asset - OK

image1122×949 73.7 KB
Postman - executed GET "asset/{asssedID} - ERROR received 403

image1788×732 69.6 KB

Kind regards
Vladimir

panos · November 26, 2023, 9:37am

Hi Vladimir, I’d suggest looking at my collection.json file, and the text that goes along with it. Currently, due to the way that keycloak is set up, you do not receive a refresh-token when creating a new OAuth token. To enable refresh-tokens for service users, I’ve created a guide on that post.

Here’s the link: Release: OpenRemote Postman API Collection with fix for OAuth Authentication

I hope that helps,

Panos

panos · November 26, 2023, 9:42am

Also, I would recommend using my collection.json file in Postman for now, since I’ve made sure it works. It includes proper authentication with OAuth and refresh tokens, variables for realms, hosts, and service users, and every single endpoint already documented. I hope it’ll help you out with what you’re trying to achieve.

panos · November 26, 2023, 9:46am

To delve deeper into why this is happening, the current timeout for OAuth tokens by service users (clients) in OpenRemote is 60 seconds. So maybe, by the time you are executing the second query, the one for your Asset, the token is expired, there is no refresh token for Postman to use, and you are automatically un-authenticated.

craigsweb · November 26, 2023, 3:21pm

Hi @panos do you have any intention of making a web sockets collection I would be so grateful for this.

niv · November 26, 2023, 8:34pm

Hi Panos, first of all, thank you for your support!

I took now your collection.json, imported into Postman but observe same behavior.

In my initial tests I have already adapted AccessToken lifespan to 1000 Minutes

And I saw your hint to set “Use Refresh Token For Client credentials Grant”, so this is set as well

Asset Query works fine, here my manager Webui

And here working response via postman using collection provided by you

And here same error when trying to create new asset, receive 403 again

panos · November 26, 2023, 9:21pm

How did you create your service user? Does the service user have the correct permissions and is it on the correct realm? The user needs to have write access for you to be able to write new assets.

niv · November 27, 2023, 4:12pm

Hi Panos, I have created user thru Openremote WebUI.

here the roles in manager WebUI

Also here my check what do I have in such token

KEYCLOAK_URL=https://localhost/auth
KEYCLOAK_REALM=master
KEYCLOAK_CLIENT=test
KEYCLOAK_CLIENT_SECRET=46PRReJX2PuEOSJ3beM7ZObO7ru6v4bo
ACCESS_TOKEN=$(curl --insecure -s $KEYCLOAK_URL/realms/$KEYCLOAK_REALM/protocol/openid-connect/token \
 --basic --user $KEYCLOAK_CLIENT:$KEYCLOAK_CLIENT_SECRET \
 -d grant_type=client_credentials \
 | jq -r '.access_token')
echo $ACCESS_TOKEN | sed 's/\(.*\)\.\(.*\)\.\(.*\)/\2/' | base64 -d | jq

And here result in console

{                   
  "exp": 1701161353,
  "iat": 1701101353,
  "jti": "19e0bd2a-ed7d-4617-b5ab-2b122c06437f",
  "iss": "https://localhost/auth/realms/master",
  "aud": [
    "openremote",
    "account"
  ],
  "sub": "d3535f05-b120-449d-8d36-39dd26ab70d1",
  "typ": "Bearer",
  "azp": "test",
  "session_state": "74f682df-a617-4580-ae7d-ced79149f0b6",
  "acr": "1",
  "realm_access": {
    "roles": [
      "default-roles-master",
      "offline_access",
      "uma_authorization"
    ]
  },
  "resource_access": {
    "test": {
      "roles": [
        "uma_protection"
      ]
    },
    "openremote": {
      "roles": [
        "write:logs",
        "write:assets",
        "read",
        "write:admin",
        "read:logs",
        "read:map",
        "read:assets",
        "write:user",
        "read:users",
        "write:rules",
        "read:rules",
        "write:attributes",
        "write",
        "write:insights",
        "read:admin"
      ]
    },
    "account": {
      "roles": [
        "manage-account",
        "manage-account-links",
        "view-profile"
      ]
    }
  },
  "scope": "roles profile email",
  "sid": "74f682df-a617-4580-ae7d-ced79149f0b6",
  "clientId": "test",
  "clientHost": "172.19.0.1",
  "email_verified": false,
  "preferred_username": "service-account-test",
  "clientAddress": "172.19.0.1"
}

panos · November 27, 2023, 4:47pm

Try removing the “restricted user” role from your service user role.

niv · November 28, 2023, 6:25am

Hi Panos, yes , that helped. Thank you for your support.
Best regards , Vladimir

system · February 26, 2024, 6:26am

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.