kandi X-RAY | keycloak-rest-api Summary
kandi X-RAY | keycloak-rest-api Summary
keycloak-rest-api
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
- Update a user
- Get client
- Main entry point
- Deletes a role
- Gets a role
- Update role
- Deletes a user
- Returns the user
- List of users
- Add a role
- List of roles
- Add a user
keycloak-rest-api Key Features
keycloak-rest-api Examples and Code Snippets
Community Discussions
Trending Discussions on keycloak-rest-api
QUESTION
I have to move a legacy authentication system to Keycloak and I cannot change the actual workflow on the client. As such, I need to provide with my api (in node.js) a user creation and login system that in turns create and get access tokens from Keycloak on behalf of the user.
I'm able to create a user but I've not been able to find a way to generate an access token for that user. The only workaround I found is to create a user and set a random password, then asking to grant the user providing username and password but this means that I have to store a password on my side, which is exactly the reason why I wanted to move to Keycloak.
...ANSWER
Answered 2021-Mar-24 at 07:44The solution is quite complex and needs (at the time of writing) the activation of a "preview" feature of Keycloak named Token Exchange. The process is described at https://www.keycloak.org/docs/latest/securing_apps/index.html#_token-exchange and for my specific case I followed the instructions at https://www.keycloak.org/docs/latest/securing_apps/index.html#internal-token-to-internal-token-exchange.
First of all you need to enable the Token Exchange feature adding the switch -Dkeycloak.profile=preview
to JAVA_OPTS
when you run Keycloak. To check that Keycloak loaded preview features, have a look at your server info at /auth/admin/master/console/#/server-info
under the section profile:
The idea of the Token Exchange is that you get a token for an administrator of your realm and then you exchange it for a token of a "normal" user. To do so you have to create (if you don't already have) two different clients for your Keycloak realm: the first one is the "starting client" used by the administrator to get the token and the second is the "target client" for which you want the token for the "normal" user.
After that you need to create an admin user for your realm. You can follow the instructions at Keycloak - Create Admin User in a Realm
Then you need to enable the target client to accept the token exchange. You should follow carefully the instructions at https://www.keycloak.org/docs/latest/securing_apps/index.html#_client_to_client_permission
It's a two-steps process: create the client policy that specifies which "starting clients" can exchange a token and then enable the permissions for the target client and attach the policy just created to the token-exchange
permission:
Having finished with setting up Keycloak, you can actually issue the two calls to first get the token for the administrator of the realm and then get the token for the user with a specific userId.
Get admin token
QUESTION
Experimenting with Keycloak as an Identity Provider. I'm running it by using the ./standalone.sh
script.
So, I obtain the access_token
like this:
ANSWER
Answered 2021-Feb-05 at 12:49To create the user using the Keycloak Rest API, one just need to request from the admin-cli client a token on behalf of the admin user by providing its name and password, for instance as follows:
QUESTION
I was trying to call keycloak's REST api to create new users under a realm and I was following this tutorial: https://www.appsdeveloperblog.com/keycloak-rest-api-create-a-new-user/
I was able to configure the Admin-cli
client as below:
and I was able to get the access token by using the client id and secret:
However, when I make a POST request to /auth/admin/realms/myapp/users
with the bearer token, it fails to create a user and I got an "unknow_error"
I searched through the internet and community and documentation but there was no clue. Eventually after hours and hours of trying, I found a solution:
You need to first go to clients --> admin_cli --> Sessions:
Then click on the user "Service-account-admin-cli" and configure such that it has admin role
Then, the previous POST request will successfully create a new user.
I cannot understand why this user "Service-account-admin-cli" is hidden under the users section:
Why would it be hidden??? How are people supposed to find this user (Service-account-admin-cli) and configure it? Does keycloak expect people to find it by clicking clients --> admin_cli --> Sessions and then see the user from there??
...ANSWER
Answered 2021-Jan-15 at 13:22IMO if one is starting to learn Keycloak one should avoid using the master Realm or change the admin_cli configuration like that without a very good reason.
From the Keycloak documentation one can read:
When you boot Keycloak for the first time Keycloak creates a pre-defined realm for you. This initial realm is the master realm. It is the highest level in the hierarchy of realms. Admin accounts in this realm have permissions to view and manage any other realm created on the server instance. When you define your initial admin account, you create an account in the master realm. Your initial login to the admin console will also be via the master realm.
We recommend that you do not use the master realm to manage the users and applications in your organization. Reserve use of the master realm for super admins to create and manage the realms in your system. Following this security model helps prevent accidental changes and follows the tradition of permitting user accounts access to only those privileges and powers necessary for the successful completion of their current task.
So typically you would create a different Realm, and create the users there. Unless, you really want to create a user on the master realm, typically admin-alike users.
That being said to create the user using the Keycloak Rest API, one just need to request from the admin-cli client a token on behalf of the admin user by providing its name and password, for instance as follows:
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install keycloak-rest-api
You can use keycloak-rest-api like any standard Java library. Please include the the jar files in your classpath. You can also use any IDE and you can run and debug the keycloak-rest-api component as you would do with any other Java program. Best practice is to use a build tool that supports dependency management such as Maven or Gradle. For Maven installation, please refer maven.apache.org. For Gradle installation, please refer gradle.org .
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page