I have an application integrated with keycloak. THe application runs on wildfly server. I use web.xml to authenticate keycloak(as Login config). Apart from that i use keycloak.json file, where i define the keycloak realm settings in application.
When i invoke the application pages, the keycloak login pages opens, after entereing the credentials, it comes back to wildfly with 403 forbidden error.
Previously, the same setup was working but now after enabling ssl, i'm facing this issue.
Please help me in resolving the issue, does it require any other additional setup for ssl.
Thanks,
JP
If its the case that login is failing after SSL was enabled it would be because SSL certificate was not in the truststore and you might this exception javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
For this you can disable-trust-manager , by adding the following conf in keycloak.json
{
...
"disable-trust-manager": true
}
If this solves the issue then the proper way of doing it will be to add the certificate to the trust store and specifying it in keycloak.json file like so.
{
...
"truststore": "cacerts.jks",
"truststore-password" : "password"
}
As the setup worked without SSL, a scope related issue might not result in 403 error. Instead, connectivity from client application server to IDP server over the IDP HTTPS port can be tested first (can use telnet).
Else, it can be SSL certificate verification issue, as answered by @Shiva. Just to add to it, ideally, a valid CA certificate may not create trust issue. In such a case, supported browsers and java versions for your IDP certificate's CA can be checked. Just upgrading to latest java version or adding the CA's root certificate to your default trust store can solve such problems. This will not require any changes to the keycloak.json file.
GoDaddy certificate issue example.
P.S: As I could not add a comment, added these points here.
The problem was with the keycloak configuration. The roles created for my application did not have scope. after enabling the role to full scope, the issue got resolved.
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 叛逆 的文章《wildfly integration with keycloak 403 forbidden er》','https://www.manongdao.com/article-385550.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}