wildfly integration with keycloak 403 forbidden error

Question

I have an application integrated with keycloak. THe application runs on wildfly server. I use web.xml to authenticate keycloak(as Login config). Apart from that i use keyclo

Answer 1

The problem was with the keycloak configuration. The roles created for my application did not have scope. after enabling the role to full scope, the issue got resolved.

Answer 2

If its the case that login is failing after SSL was enabled it would be because SSL certificate was not in the truststore and you might this exception javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

For this you can disable-trust-manager , by adding the following conf in keycloak.json

  {
    ...
    "disable-trust-manager": true
  }

If this solves the issue then the proper way of doing it will be to add the certificate to the trust store and specifying it in keycloak.json file like so.

 {
    ...
    "truststore": "cacerts.jks",
    "truststore-password" : "password"
  }

Answer 3

As the setup worked without SSL, a scope related issue might not result in 403 error. Instead, connectivity from client application server to IDP server over the IDP HTTPS port can be tested first (can use telnet).

Else, it can be SSL certificate verification issue, as answered by @Shiva. Just to add to it, ideally, a valid CA certificate may not create trust issue. In such a case, supported browsers and java versions for your IDP certificate's CA can be checked. Just upgrading to latest java version or adding the CA's root certificate to your default trust store can solve such problems. This will not require any changes to the keycloak.json file.

GoDaddy certificate issue example.

P.S: As I could not add a comment, added these points here.