When I add a role to an user, I search that client-role by name and then I get this role representation and add to the user. But I couldn't find out how to search the "realm-admin" role and how to add that to the user with rest api.
That's the url I'm using to search my client-role (GET):
https://{my-keycloak-url}/auth/admin/realms/{realm-name}/clients/{id}/roles/{role-name}
And that's the url I'm using to add this role to the user (PUT):
https://{my-keycloak-url}/auth/admin/realms/{realm-name}/users/{user-id}/role-mappings/clients/{client-id}
What's the equivalent to this "realm-admin"?
You can assign the realm-admin role to user by this API
POST https://{my-keycloak-url}/auth/admin/realms/{realm-name}/users/{user-id}/role-mappings/clients/{realm-management-id}
with this body payload
[
{
"id":{realm-admin-id},
"name":"realm-admin",
"description":"${role_realm-admin}",
"composite":true,
"clientRole":true,
"containerId":{realm-management-id}
}
]
Get master token
This is demo by Postman
OR curl command
curl --location --request POST 'http://localhost:8180/auth/admin/realms/my-realm/users/1b058869-a65d-4648-b4e2-4f5bf7430ea6/role-mappings/clients/33f00bff-d735-4402-88bc-51ea055d15c1' \
--header 'Authorization: Bearer $token' \
--header 'Content-Type: application/json' \
--data-raw '[
{
"id":"c8a60657-9545-4ab3-9913-0186fdb93213",
"name":"realm-admin",
"description":"${role_realm-admin}",
"composite":true,
"clientRole":true,
"containerId":"33f00bff-d735-4402-88bc-51ea055d15c1"
}
]'
GET {user-id} by user list API
GET {realm-management-id} by client list API
GET {realm-admin-id} by client role list API
Related
I'm trying to retrieve yesterday's transfer for one of our customers. Please check the following curl request
curl --request GET \
--url https://api.stripe.com/v1/transfers \
--header 'Authorization: Basic ourPrivateKeyEncoded' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data destination=acct_anAccount \
--data created.gt=1629676800
I'm able to retrieve all the transfers of my customer, but the created filter is not accepted. Meaning the above request without the created.gt is ok.
With this filter Stripe respond me a 400 with this body
{
"error": {
"code": "parameter_unknown",
"doc_url": "https://stripe.com/docs/error-codes/parameter-unknown",
"message": "Received unknown parameter: created.gt. Did you mean created?",
"param": "created.gt",
"type": "invalid_request_error"
}
}
I'm following this documentation, the created filter seems to exist. Does someone have an idea why Stripe doesn't accept my filter?
Replacing created.gt by created[gt] filter key made my request works.
The documentation seems to be outdated
Experimenting with Keycloak as an Identity Provider. I'm running it by using the ./standalone.sh script.
So, I obtain the access_token like this:
curl --request POST \
--url http://localhost:8080/auth/realms/master/protocol/openid-connect/token \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data grant_type=client_credentials \
--data client_id=admin-cli \
--data client_secret=<the-client-secret-under-master-realm-for-admin-cli-client>
Response:
{
"access_token": "the-access-token",
"expires_in": 60,
"refresh_expires_in": 0,
"token_type": "Bearer",
"not-before-policy": 0,
"scope": "profile email"
}
And then quickly, under my test-realm I try to create a user as follows:
curl --request POST \
--url http://localhost:8080/auth/admin/realms/test-realm/users \
--header 'Authorization: Bearer the-access-token' \
--header 'Content-Type: application/json' \
--data '{
"firstName": "Sergey",
"lastName": "Kargopolov",
"email": "test#test.com",
"enabled": "true",
"username": "app-user"
}'
And I get hit with a 403:
< HTTP/1.1 403 Forbidden
< X-XSS-Protection: 1; mode=block
< X-Frame-Options: SAMEORIGIN
< Referrer-Policy: no-referrer
< Date: Thu, 28 Jan 2021 23:43:57 GMT
< Connection: keep-alive
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< X-Content-Type-Options: nosniff
< Content-Type: application/json
< Content-Length: 25
Is there something I'm missing? I'm following this tutorial and I'm doing everything exactly as described!
Edit: I tried the Password Grant way to obtain the Bearer Token and that worked, but NOT the client secret way. I obviously prefer the client secret way (which is where I'm stuck currently). What could be the issue here?
To create the user using the Keycloak Rest API, one just need to request from the admin-cli client a token on behalf of the admin user by providing its name and password, for instance as follows:
TOKEN=$(curl -k -sS -d "client_id=admin-cli" \
-d "username=$ADMIN_NAME" \
-d "password=$ADMIN_PASSWORD" \
-d "grant_type=password" \
http://$KEYCLOAK_IP/auth/realms/master/protocol/openid-connect/token)
from the $TOKEN object extract the access token (let us named $ACCESS_TOKEN).
And then create the user as follows:
curl -k -sS -X POST https://$KEYCLOAK_IP/auth/admin/realms/$REALM_NAME/users \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $ACCESS_TOKEN" \
-d "$USER_JSON_DATA"
$USER_JSON_DATA will be the json data representation of the user to be created. There is no need to add the role admin to the master admin deployed with Keycloak by default.
If setup normally, you would just need to know (as I already described) the admin's name and password, which is configured in the initial setup anyway.
If you click on the admin user > roles, you would see the following:
The admin user, has already the admin role.
Edit: I tried the Password Grant way to obtain the Bearer Token and
that worked, but NOT the client secret way. I obviously prefer the
client secret way (which is where I'm stuck currently). What could be
the issue here?
Now if you change the admin_cli configuration exactly as you did then you need to add to the Service-account-admin-cli user the role admin.
Now the problem is that Service-account-admin-cli user is hidden in the User section. Nonetheless, you can do the following:
Request again the admin token with your setup;
Go to Master Realm > Clients > admin-cli > Session > Click on [Show Session]:
click on the user service-account-admin-cli;
Go to Role Mappings;
Assign the admin role;
Since the service-account-admin-cli user has now the admin role, a token request on that user's behalf will contain the necessary privileges to create the users.
If the aforementioned does not work, then do the following go to:
Realm Master;
Clients > admin-cli;
Go to Mappers;
Click on [Create];
As Mapper Type select "Hardcoded Role";
Click on Select Role and selection "admin";
Click [Save].
I'm setting up Keycloak as an authentication server https://github.com/keycloak/keycloak/releases/download/12.0.0/keycloak-12.0.0.zip
Java 11
Documentation: https://github.com/keycloak/keycloak-documentation/blob/master/securing_apps/topics/oidc/oidc-generic.adoc
I can generate the access_token via /realms/{realm-name}/protocol/openid-connect/token
but I cannot call the userinfo endpoint /realms/{realm-name}/protocol/openid-connect/userinfo using a valid access_token which I get from the first API.
POST http://127.0.0.1:8080/auth/realms/test/protocol/openid-connect/token
{
client_secret: ...,
grant_type: ...,
client_id: ...,
}
response
{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIxOE..."
"expires_in": 3600,
"refresh_expires_in": 0,
"token_type": "Bearer",
"not-before-policy": 0,
"scope": "create"
}
But here is the result when I call the get user info API
GET http://127.0.0.1:8080/auth/realms/test/protocol/openid-connect/userinfo
Header: Bearer ${access_token}
Are there any suggestions?
Thank you
Post man test
Keycloak server's log is same
Keycloak bug
I think this is an issue on KC 12.0
When I use KC 11.0.3, above APIs work fine
https://github.com/keycloak/keycloak-community/issues/224
The Jira story:
https://issues.redhat.com/browse/KEYCLOAK-17217
Make sure you are calling the endpoint as follows.
First getting the token:
curl -d "client_id=$YOUR_CLIENT_ID" \
-d "client_secret=$YOUR_CLIENT_SECRET" \
-d "grant_type=client_credentials" \
http://127.0.0.1:8080/auth/realms/test/protocol/openid-connect/token)
Extract from the JSON response the access_token field (e.g., jq -r .access_token)
Then call the userinfo as follows:
curl -X GET http://127.0.0.1:8080/auth/realms/test/protocol/openid-connect/userinfo \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $ACCESS_TOKEN"
With Postman:
For a setup with Realm Name = "test", client_id = "test", client_secret = "63b61af0-5a99-41d7-8f9b-4e3059b8b9ab" and using client_credentials grant_type.
Getting the token:
and getting the userinfo:
EDIT
The approach below works with Keycloak 10.0.x, and 11.0.x, but gets exactly the same issues as OP's for the version Keycloak 12.0.x (including the latest release Keycloak 12.0.2).
This seams to be regression added with Keycloak 12.0.0 follow this issue for update information.
I'm trying to control my Sonos One (Gen 1) speaker through cloud APIs but all the POST request return 500 Internal Server Error without error message.
I generated an access_token as described in the documentation and was able to obtain information about the 'households' inside my network, finally both the group id and the player id.
I tried to obtain information about the status of the group by performing a GET on the following endpoint and it worked:
https://api.ws.sonos.com/control/api/v1/groups/{{group_id}}/playback
Same with other GET requestes (e.g. groupVolume).
The problem arise when I try to make a POST (e.g. changing the volume or playing an audioClip), it returns 500 Internal Server Error without any body.
For all the requests I am using Postman including as Headers:
Content-Type: application/json
Authorization: Bearer [token]
Content-Length: ??? (automatically inserted by postman)
while for the body of the change volume request I select the raw option and then select JSON(application/json) option.
The body is:
{
"volume": 80
}
The endpoint is the following: https://api.ws.sonos.com/control/api/v1/groups/{{group_id}}/groupVolume
I also tried controlling the player with node (Package) and it works.
Also tried to use Wireshark to see what requests the node-sonos package is performing but it seems it's not using the Cloud APIs.
I expect the player to change volume, but the API doesn't do anything and doesn't return any error message.
EDIT:
The cURL request from POSTMAN is the following:
curl -X POST \
https://api.ws.sonos.com/control/api/v1/players/<playerID>/audioClip \
-H 'authorization: Bearer XXX' \
-H 'cache-control: no-cache' \
-H 'content-type: application/json' \
-H 'postman-token: XXX' \
-d '{
"appId": "edu.myInstitute.myName",
"clipType": "CUSTOM",
"name": "Test",
"streamUrl": "http://...mp3_file_url"
}'
At the moment, in order to restart a Mule application, I need to:
Log into Mule via a browser
Navigate to the Runtime Manager
Select my environment
Locate my application
Navigate to Settings
Then restart
I know that MuleSoft have a Management API (CloudHub API), but I cannot find an example of how to restart an application via a REST call.
If anyone has a working example or can point me in the right direction I would appreciate it.
Thanks
Just in case if anyone wants to know how to restart a Mule application hosted on CloudHub via REST API.
Call this API
https://anypoint.mulesoft.com/cloudhub/api/applications/{domain}/status with payload "RESTART"
API Endpoint: /applications/{domain}/status
Method: POST
Example payload in request body:
{
"status": " 'RESTART' or 'stop' or 'start' ",
"staticIpAddress": "10.4.6.22"
}
Postman code snippet: update the bearer token, domain and environment id
curl --request POST \
--url https://anypoint.mulesoft.com/cloudhub/api/applications/{cloudhub-app-
domain}/status \
--header 'Authorization: Bearer token' \
--header 'Content-Type: application/json' \
--header 'Postman-Token: 42539dcd-1d33-4b66-80d9-6cfcc4ed8f77' \
--header 'X-ANYPNT-ENV-ID: environment ID' \
--header 'cache-control: no-cache' \
--data '{\n "status":"RESTART"\n}'
First, you need to install the runtime manager agent
https://docs.mulesoft.com/runtime-manager/installing-and-configuring-runtime-manager-agent
Second, you can find an example in below link:
https://docs.mulesoft.com/runtime-manager/managing-applications-and-domains
Operation: Restart an Application
PUT http://localhost:9999/mule/applications/myapp/restart HTTP/1.1
Content-Type: application/json
Further to developer9's answer, here's how to obtain the Bearer token:
https://anypoint.mulesoft.com/exchange/portals/anypoint-platform/f1e97bc6-315a-4490-82a7-23abe036327a.anypoint-platform/access-management-api/version/v1/pages/Authentication/
To access Platform APIs, you must obtain a token from either the login
endpoint or using the OAuth authorization process.
To authenticate using a username and password, you must invoke the /login API.
POST /accounts/login HTTP/1.1
Content-Type: application/json
{
"username" : "joe",
"password" : "password"
}
This returns the following response and token:
{
"access_token": "d127e2ec-a703-4e2a-8629-e9158804748b",
"token_type": "bearer"
}
You can then use that in the restart (or other API request). Eg (note, update the bearer token, domain and environment id)
curl --request POST \
--url https://anypoint.mulesoft.com/cloudhub/api/applications/{cloudhub-app-
domain}/status \
--header 'Authorization: Bearer d127e2ec-a703-4e2a-8629-e9158804748b' \
--header 'Content-Type: application/json' \
--header 'Postman-Token: 42539dcd-1d33-4b66-80d9-6cfcc4ed8f77' \
--header 'X-ANYPNT-ENV-ID: environment ID' \
--header 'cache-control: no-cache' \
--data '{\n "status":"RESTART"\n}'