WSo2 API Manager and Keyrock - issue with roles

Question

I have deployed WSo2 API Manager 4.1.0 on a Debian 10 machine using the ZIP archive.

I have configured my Keyrock instance as an external identity provider in the Management Console.

When I log in with the Keyrock admin account, I can access the Publisher of the API Manager.
However, with any other account, I get the following error:

Error 403 : Forbidden - The server could not verify that you are authorized to access the requested resource.

After many verifications, I think I have correctly configured WSo2:

WSo2 API Manager configuration:

Basic Claim Configuration

Role Configuration (I also tried to give all roles to the user)

Federated Authenticators / OAuth2/OpenID Connect Configuration

Just-in-Time Provisioning

Keyrock configuration:

Application configuration

Users authorization

I have no log for WSo2 when the error is displayed.

Here is the content of the JWT token that Keyrock sends back to WSo2:

{
  "organizations": [],
  "displayName": "",
  "roles": [
    {
      "id": "1a209432-7bfe-4055-9028-a42524fc5418",
      "name": "publisher"
    },
    {
      "id": "8192fef7-d77d-4389-a618-082ccddd33ad",
      "name": "apim_publisher"
    }
  ],
  "app_id": "babab169-10ea-4283-a64a-7fba4aca6ce9",
  "trusted_apps": [],
  "isGravatarEnabled": false,
  "id": "1a8f660f-d32f-46c1-a5f5-80a5cbffd219",
  "authorization_decision": "",
  "app_azf_domain": "",
  "eidas_profile": {},
  "attributes": {},
  "shared_attributes": "",
  "username": "pierre.josselin",
  "email": "email@example.com",
  "image": "",
  "gravatar": "",
  "extra": "",
  "iss": "http://localhost:3000",
  "sub": "1a8f660f-d32f-46c1-a5f5-80a5cbffd219",
  "aud": "babab169-10ea-4283-a64a-7fba4aca6ce9",
  "exp": 1657904225,
  "iat": 1657900625,
  "at_hash": "9zTg2zPtFlbJpLmKE8Izsg=="
}

Thank you very much

Have you done the Role Mappings correctly? https://apim.docs.wso2.com/en/latest/administer/managing-users-and-roles/managing-user-roles/#adding-role-mappings — ycr, Jul 16 '22 at 18:58
@ycr according to the following screen captures https://i.stack.imgur.com/IsHJ2.png and https://i.stack.imgur.com/w1Jyt.png I think I did it right — Pierre Josselin, Jul 19 '22 at 07:33
Also, I'm not sure if my claim configuration is properly applied. Indeed, despite having defined the Keyrock username as the WSo2 user ID, it is ignored and the users are created with the Keyrock ID as WSo2 user ID https://i.stack.imgur.com/lfYhv.png — Pierre Josselin, Jul 19 '22 at 07:40

score 0 · Accepted Answer · answered Sep 01 '23 at 17:24

In order to answer this question, there was an incompatibility between the format of the roles returned by Keyrock, and the format expected by the API manager. At least that was the case for the versions I used. I've found a "hacky" solution by adding a server between Keyrock and the API manager responsible for converting the roles to the expected format.

WSo2 API Manager and Keyrock - issue with roles

1 Answers1