Credential issuance fails with 403 — kernel-auth-adapter role mismatch with Spring Security

[iamnot-afk]

Summary

After a successful registration and UIN generation, the system fails to issue credentials. The credential request stage gets a 403 Forbidden error when calling the Partner Management Service (PMS) policy API.

What happens

1. A person registers and gets a UIN — this works fine
2. The system then tries to create their ID credential (for printing a card, etc.)
3. This step calls the PMS to check the credential policy
4. PMS rejects the call with 403 Forbidden — even though the correct roles are configured

Log output

PMS logs show:

AccessDeniedException: Access is denied

at getCredentialTypePolicy endpoint: /v1/partnermanager/partners/{partnerId}/credentialtype/{credentialType}/policies

Credential transactions all fail:

status_code: FAILED
status_comment: API not accessible

The same issue also affects getBiometricExtractors in the BiometricExtractionStage:

RPR-RCT-001 --> 403 Forbidden

Root cause

The kernel-auth-adapter creates user authorities/roles without the ROLE_ prefix (e.g. CREDENTIAL_REQUEST), but Spring Security's hasAnyRole() method automatically adds ROLE_ and looks for ROLE_CREDENTIAL_REQUEST. Since the names don't match, access is always denied.

This is a code-level mismatch — no amount of configuration can fix it. We tried:

• Adding all required roles to the Keycloak service account (verified in JWT) — still 403
• Adding auth.role.prefix=ROLE_ to properties — not used by the adapter
• Adding roles to PMS policy config — no effect

Environment

• MOSIP 1.2.0.2, config branch 1.2.0.1
• Also checked 1.2.0.3 release notes — issue not addressed there

Workaround

None found. UIN generation works, but credential/card issuance is completely blocked.

[zealot-zew]

This issue has been resolved on master. If you still hit this, you just need to update the kernel-auth-adapter.jar to the latest version from mosip-openid-bridge