Allow client to retrieve users from keycloak - keycloak

I want to let my client application access user information from keycloak. Therefore, I created another realm (myrealm1) in keycloak and within that realm I created a new client (myclient1).
keycloak configuration:
Client configuration
Actually, I tried a lot of other combinations without success.
In the client scopes tab, I added the admin client scope
In the service account roles tab, I added the admin role
Client scope configuration
For the admin client scope, I assigned the admin role in the scope tab.
Realm role configuration
For the admin realm role, I assigned the admin role in the associated role tab.
REST API Calls
These are the REST API calls I am using
curl --location --request POST 'http://localhost:8080/realms/myrealm/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=myclient1' \
--data-urlencode 'client_secret=PehR9f95woZmEEHcKfSgPaosu1Yt6P9s' \
--data-urlencode 'grant_type=client_credentials'
Returns
{
"access_token": "eyJhbGciOiJS...",
"expires_in": 300,
"refresh_expires_in": 0,
"token_type": "Bearer",
"not-before-policy": 0,
"scope": "email profile admin"
}
So far so good, I do get a token.
curl --location --request GET 'http://localhost:8080/admin/realms/myrealm/users' \
--header 'Accept: application/json' \
--header 'Authorization: Bearer eyJhbGciOiJS...'
Returns
HTTP 403
{
"error": "unknown_error"
}
This is not as expected. The expected result would be the user information.
Btw, I do get it working for the admin user of the master realm
curl --location --request POST 'http://localhost:8080/realms/master/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=admin-cli' \
--data-urlencode 'username=admin' \
--data-urlencode 'password=password' \
--data-urlencode 'grant_type=password'
But this is not what I want. I would like to get it working for my custom client.
Setup
I am using keycloak 19.0.3
My question
What is missing to get it working? I. e. How do I enable my client to make use of the keycloak REST APIs such as /admin/realms/myrealm/users

You need to go to:
your realm;
your Client;
then go to service account;
Click on Assign Role;
Select Filter by clients;
and search for 'realm-management'
Select and assign the desired roles.

Related

How to get an unobfuscated client-secret for keycloak client-secret REST call

When calling the keycloak REST api (see below) the output value is a string of asterisks (stars) - is it possible to get this information in clear text?
curl \
--silent \
--request GET \
-H "Authorization: bearer <MYACCESSTOKEN>" \
--header 'Content-Type: application/x-www-form-urlencoded' \
"http://keycloakserver:8180/auth/admin/realms/myrealm/clients/<MYCLIENTID>/client-secret"
returns/output:
{"type":"secret","value":"**********"}
How can it be retrieved in a text (not stars) format?
The client is configured with:
clientt protocol: openid-connect
access type: confidential
standard flow: enabled
First, you need to generate the secret. Either via Admin Console:
Or via keycloak REST api, in your case (using POST instead of GET):
curl \
--silent \
--request POST \
-H "Authorization: bearer <MYACCESSTOKEN>" \
--header 'Content-Type: application/x-www-form-urlencoded' \
"http://keycloakserver:8180/auth/admin/realms/myrealm/clients/<MYCLIENTID>/client-secret"

Paypal gives invalid refresh token error and no consent were granted Oauth2

I am trying to refresh the PayPal access token using the refresh token, I have checked that my credentials are right and I am using sandbox credentials.
Here is my curl request
curl --location --request POST 'https://api-m.sandbox.paypal.com/v1/oauth2/token' \
--header 'Authorization: Basic QWNRamY0eHFfOS1JWkpSM3htNURac2hteFhvTFNRb1h3SnZvbFJCM0pfZ0RpcnZpLXFKd21yX2JlYUhRV2gtS2NfRGFOZ19sWXJ1clk3UGw6RUlQVlpRekFqSkZRTmIyTXdsenYtYnRPR2pxejBFUHN5UHpKWF9ObllMSnkydnM3TEFZczBiNGNuUG9ScGZ6RWQ4ZG1manNnelsswrfgth4eGpmTHk=' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=refresh_token' \
--data-urlencode 'refresh_token=R23.AAJhMawaln1gQ_bkXioY9SG_Xp5X6CENyIBIcw7F-ocj37o5Io9LN8PKd9EcreWbaQk6LQQuUBXWQmMMaTWokK5eFcD1b0SUjYzS1-YCFLId4vKGmk1q7cELtQc5J477scwsk7cXJEuHwXng-vebMlw'
it gives me the response of invalid refresh token and no consent were granted.
{"error":"invalid_refresh_token","error_description":"No consent were granted"}
access token request:
curl --location --request POST 'https://api-m.sandbox.paypal.com/v1/oauth2/token' \
--header 'Authorization: Basic QWNRamY0eHFfOS1JWkpSM3htNURac2hteFhvTFNRdddb1h3SdsdnZvbFJCM0pfZ0RpcnZpLXFKd21yX2JlYUhRV2gtS2NfRGFOZ19sWXJ1clk3UGw6RUlQVlpRekFqSkZRTmIyTXdsenYtYnRPR2pxejBFUHN5UHpKWF9ObllMSnkydnM3TEFZczBiNGNuUG9ScGZ6RWQ4ZG1manNnelh4eGpmTHk=' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=authorization_code' \
--data-urlencode 'code=C21AAL7QWYekW8pCXkw9xIlsicTcxlytFJfhNCqk3Fvt-WSsjdgpnJF5U5jbP_NB_0xRqOFdSbjdRkcvyDefsoK8Oui6gqj0A'
Any idea how to solve this ?

How to set user attribute value in Keycloak using API?

How I can set user attribute value using Keycloak Rest API?
Update: The /auth path was removed starting with Keycloak 17 Quarkus distribution. So you might need to remove the /auth from the endpoint calls presented on this answer.
To set a user attribute using the Keycloak Admin REST API; you use the endpoint:
PUT <KEYCLOAK_HOST>/auth/admin/realms/<YOUR_REALM>/users/<USER_ID>
with the payload
{"attributes":{"<ATTRIBUTE_NAME>":["<ATTRIBUTE_VALUE>"]}}
the <USER_ID> you can get it using the endpoint:
GET <YOUR_KEYCLOAK_DOMAIN>/auth/admin/realms/<YOUR_REALM>/users/?username=<THE_USERNAME>
from the JSON response, extract the field id.
Step-by-Step:
You can get that information using the Keycloak Admin REST API; to call that API, you need an access token from a user with the proper permissions. For now, I will be using the admin user from the master realm:
curl https://${KEYCLOAK_HOST}/auth/realms/master/protocol/openid-connect/token \
-d "client_id=admin-cli" \
-d "username=$ADMIN_NAME" \
-d "password=$ADMIN_PASSWORD" \
-d "grant_type=password"
You will get a JSON response with the admin's token. Extract the value of property access_token from that response. Let us save it in the variable $ACCESS_TOKEN for later reference.
To get the user id from your realm $REALM_NAME:
curl -X GET https://${KEYCLOAK_HOST}/auth/admin/realms/${REALM_NAME}/users/?username=${USERNAME}&exact=true \
-H "Content-Type: application/json" \
-H "Authorization: bearer $ACCESS_TOKEN"
From the response extract the user id for example as follows
jq -r .[].id
Or even cleaner is to passed to the
To set the user attribute:
curl -X PUT https://${KEYCLOAK_HOST}/auth/admin/realms/${REALM_NAME}/users/${USER_ID} \
-H "Content-Type: application/json" \
-H "Authorization: bearer $ACCESS_TOKEN" \
-d '{"attributes":{"<ATTRIBUTE_NAME>":["<ATTRIBUTE_VALUE>"]}}'
You can also have a look at setUser script on my GitHub repo.

Creating authorization token for google cloud sql

I am writing an application to fetch query logs from google cloud sql using stack driver monitoring. I am able to retrieve the logs using API explorer. I will be using a curl call to download the logs.
curl --header "Authorization: Bearer ACCESS_TOKEN" --header
'Content-Type: application/json' --header 'x-referer:
https://developers.google.com' -X POST --data
'{"resourceNames":["projectname"],"filter":"logName=logname"}'
"https://content-logging.googleapis.com/v2/entries:list?fields=entries(jsonPayload%2ClogName%2Coperation%2CreceiveTimestamp%2CtextPayload%2Ctimestamp)&key=APIkey"
API key is available in the interface. I have downloaded the json with client details. But I am not able to find any documentation on how to generate ACCESS_TOKEN in this case. Can someone please help me on this?
You can try:
curl -H "Authorization: Bearer "$(gcloud auth application-default
print-access-token) ...
or set:
ACCESS_TOKEN="$(gcloud auth application-default print-access-token)"
and then:
curl --header "Authorization: Bearer ${ACCESS_TOKEN}" ...

Accessing Box Api using Refresh token

How can we access the Box API using the refresh token that is generated? I have followed all the steps to generate the access token and refresh token but I cannot find it anywhere how can I access the API using refresh token.
This is what I have right now:
curl -X GET -H "Authorization: Bearer <Access-Token>" "https://api.box.com/2.0/folders/0"
I am not able to do this :
curl -X GET -H "Authorization: <Refresh-Token>" "https://api.box.com/2.0/folders/0"
or
curl -X GET -H "Authorization: Bearer <Refresh-Token>" "https://api.box.com/2.0/folders/0"
Any idea how we can use the Refresh token in an API call?
The access_token is used to make Box Content API calls.
The refresh_token is used to obtain a new access_token & refresh_token pair since access_tokens expire in around 60 minutes.
curl https://api.box.com/oauth2/token
-d 'grant_type=refresh_token' \
-d 'refresh_token=<MY_REFRESH_TOKEN>' \
-d 'client_id=<MY_CLIENT_ID>' \
-d 'client_secret=<MY_CLIENT_SECRET>' \
-X POST