I cannot get a normal rest api call to keycloak (v19) working.
What i want is that a "normal" user can query for all other KeyCloak users
What iam doing:
create realm "TestRealm"
create client "apiclient", with client authentication on and service account on
go to clients -> service account and assign roles "view-users" & "query-users" of the realm-management client to service account.
create user "TestUser"
assign roles "view-users" & "query-users" to the new user
Now i think everything is done and i can test the api:
Get the access token:
curl --location --request POST 'http://localhost:8081/realms/TestRealm/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=apiclient' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'username=TestUser' \
--data-urlencode 'password=ABC' \
--data-urlencode 'client_secret=ABC'
Token contains these values:
"realm_access": {
"roles": [
"offline_access",
"uma_authorization",
"default-roles-testrealm"
]
},
"resource_access": {
"realm-management": {
"roles": [
"view-users",
"query-groups",
"query-users"
]
},
"account": {
"roles": [
"manage-account",
"manage-account-links",
"view-profile"
]
}
},
Now the query for all users:
curl --location --request GET 'http://localhost:8081/admin/realms/TestRealm/users' \
--header 'Authorization: Bearer {{keycloak-bearer-token}}'
Response is "401 Unauthorized".
I dont know what iam doing wrong
EDIT: i had an issue somewhere else and these steps work exactly as expected
Related
The API is : /repos/{owner}/{repo}/pulls.
I used the correct token, and the request body is :
data = {
"base": "master",
"head": "owner:master",
"title": "title",
}
The head is like this:
{'Accept': 'application/vnd.github.v3+json', "Authorization": "token {}".format(git_token)}
Then I call the pull API. Returned 200.
<Response [200]>
Why? Maybe the request body wrong?
The Pull Request API specified the answer:
Status: 201 Created
Try and anddapt their example to your repository, to see if it does work:
curl \
-X POST \
-H "Accept: application/vnd.github.v3+json" \
https://api.github.com/repos/octocat/hello-world/pulls \
-d '{"head":"head","base":"base"}'
I am working on a Akka-Http project in which I am writing a POST endpoint http://localhost:8080/api/v1/internal/admin/import which requires a header with an access token.
My curl request is as follows
curl --location --request POST 'http://localhost:8080/api/v1/internal/admin/import' \
--header 'Content-Type: application/json' \
--header 'Accept: text/plain' \
--header 'Authorization: correct-token' \
--data-raw '{
"id": 100,
"name": "test"
}'
When the access token is incorrect, I get the http response in the exact format that is expected
"status": {
"code": 403,
"error": "authorization_error",
"details": "Invalid token"
}
}
But as soon as I provide a correct token in the header, the http request is successful, but I get a weird message HTTP method not allowed, supported methods: GET.
Just before sending the correct response, I tried to print the json and its correct. My code looks as follows :
onComplete(futureR) {
case Success(result) =>
println(s"Success response json is ${Json.toJson(result)}")
complete(result)
case Failure(ex) => complete(
500 -> StatusResponse(ApiStatus(500, None, None))
)
}
The result I am getting on terminal is Success response json is {"status":{"code":0}} which is correct, however in Postman, I keep on getting the error HTTP method not allowed, supported methods: GET.
Any pointers to this problem ? TIA
Step 1. Get Access Token:
curl --location --request POST 'https://localhost/auth/realms/master/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-url## Heading ##encoded' \
--data-urlencode 'username=*******' \
--data-urlencode 'password=*******' \a
--data-urlencode 'grant_type=*******' \
--data-urlencode 'client_id=*******'
Step 2. Create user and assign a role:
curl --location --request POST 'https://localhost/auth/admin/realms/MyRealm/users' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJKZFVORmNDU19rWjdvZ3ZFSkI4VXZpMTNRb2hKbnh2VW9oeVpieXg2Vld3In0.eyJqdGkiOiI4OGQ4Njk4NC04OGNjLTQzNzAtYWExMC00MTBkYWY5OGY0ODciLCJleHAiOjE1ODQ5NDA2MTYsIm5iZiI6MCwiaWF0IjoxNTg0OTQwNTU2LCJpc3MiOiJodHRwczovL2lkLmRldi1wcm90b24uaXRlcjIwMDQubGFiLmVoZWFsdGguZXhjaGFuZ2UvYXV0aC9yZWFsbXMvbWFzdGVyIiwic3ViIjoiYzI5YjQzMGItMWZlNC00NzJhLWFjYTMtMzgzYTkxNTNmM2RjIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiYWRtaW4tY2xpIiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiNzMyOGUyMDItNzQyZC00ZTdkLTgwMWUtY2UyNGQ1NWUyZDZjIiwiYWNyIjoiMSIsInNjb3BlIjoiZW1haWwgcHJvZmlsZSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWRtaW4ifQ.brCZauRzLeoAHvxtgJy6PYwZhbInVfbLA6HF7YHmwuGzoDoexj97P1s03r2G5bzYUkL93sejEFT5AkPeoZ0gpzHY3IsG3UF7Q9Qvk3t5c08CcAqOn4czhYYV91fwwBWMgTv4sQh0D-_bSq0OtI5g9Ojo0sHzxleYEUW8UYdFsQ_JvpOnZEM87CzUhBqsDDnQ4kPslOaaG2q5PPY3ccNKHexE0UkxjtOeUoIn6tdf-0Yqwc55JCMzWOZmt3pFqWKfm3-VZX5lT0UTL9ktrrLfFTIMfZb-Lmyp2g3_s_juUpkbgPpBPHgh6IGS6XaOnxgseq1Vz4h6pZ_A0O60Z8R5-w' \
--data-raw '{
"username": "ayman",
"enabled": true,
"email": " aymanvirtual#gmail.com",
"firstName": "ayman",
"lastName": "ayman",
"emailVerified":true,
"credentials": [
{
"type": "password",
"value": "ayman"
}
],
"realmRoles": [
"test-role"
]
}'
Step 3. Get user details
curl --location --request GET 'https://localhost/auth/admin/realms/MyRealm/users/d3bbe900-c7b3-49c5-9414-28f9433d3fc1' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJKZFVORmNDU19rWjdvZ3ZFSkI4VXZpMTNRb2hKbnh2VW9oeVpieXg2Vld3In0.eyJqdGkiOiJkMjgzYzA2NS1hMmJjLTQwNDctOWQ0MC01NWI4Nzg5YmNkNGUiLCJleHAiOjE1ODQ5NTM2NDgsIm5iZiI6MCwiaWF0IjoxNTg0OTUzNTg4LCJpc3MiOiJodHRwczovL2lkLmRldi1wcm90b24uaXRlcjIwMDQubGFiLmVoZWFsdGguZXhjaGFuZ2UvYXV0aC9yZWFsbXMvbWFzdGVyIiwic3ViIjoiYzI5YjQzMGItMWZlNC00NzJhLWFjYTMtMzgzYTkxNTNmM2RjIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiYWRtaW4tY2xpIiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiNjhmYmQ1YWQtMTkwMC00MzgyLThiMmYtYjhlYjExOTA4YmFhIiwiYWNyIjoiMSIsInNjb3BlIjoiZW1haWwgcHJvZmlsZSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWRtaW4ifQ.KmWR31pAR4Tl3Mad7awvqeK8np3x5qaPL1tYWAPLDdYaT4nLzpGblmPOBNzYIaEdhs9iwGEmES5_VzrI4C7xUVsY-Zq4jl8iPYP7IawzqgXyrTVuvAO_DLdgdVRKidTT6I-Eh1F87AV14-pOf0GXQ4wnQl5qGl5S6XUTJkegx8eGCg5Qp-zAdHOkxvPL3KRtpgwJx5QCvce-1-wW5Fckk3a-61vXA-o9jUDnJGWTYUyAssVD8zRUs-hhAms1PoR4nW1tCd_9J7xiWmr2hN0-pHY-u5PjNlrxCyOx-3pkRzworZ9e2i0ff0x2dcivpzyDfqe__sdsLVQsiiD1S7ViHw'
Problem:
The user is successfully created but it is not assigned a role (realmRole). After some more research I found that this behaviour is due to a bug in keycloak API (stack overflow issue).
Is there any way to create a user and assign a realm role to it?
Update:
According to some answers, we can use role mappers API calls to map a role to a user. Documentation about those operations: https://www.keycloak.org/docs-api/6.0/rest-api/index.html#_role_mapper_resource
POST /{realm}/groups/{id}/role-mappings/realm
What are the groups in the above URL?
This url: POST /{realm}/groups/{id}/role-mappings/realm is used to assign a realm role to a group where {id} is the group id.
To assign a realm role to a user, use:
# Get the role lists
GET /{realm}/roles
# Get the user lists
GET /{realm}/users
# Assign your role to user
POST /{realm}/users/{userId}/role-mappings/realm
body :[{id: roleId, name: roleName]
your request could be:
curl --location --request POST 'https://localhost/auth/admin/realms/MyRealm/users/MyUserId/role-mappings/realm' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJKZFVORmNDU19rWjdvZ3ZFSkI4VXZpMTNRb2hKbnh2VW9oeVpieXg2Vld3In0.eyJqdGkiOiI4OGQ4Njk4NC04OGNjLTQzNzAtYWExMC00MTBkYWY5OGY0ODciLCJleHAiOjE1ODQ5NDA2MTYsIm5iZiI6MCwiaWF0IjoxNTg0OTQwNTU2LCJpc3MiOiJodHRwczovL2lkLmRldi1wcm90b24uaXRlcjIwMDQubGFiLmVoZWFsdGguZXhjaGFuZ2UvYXV0aC9yZWFsbXMvbWFzdGVyIiwic3ViIjoiYzI5YjQzMGItMWZlNC00NzJhLWFjYTMtMzgzYTkxNTNmM2RjIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiYWRtaW4tY2xpIiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiNzMyOGUyMDItNzQyZC00ZTdkLTgwMWUtY2UyNGQ1NWUyZDZjIiwiYWNyIjoiMSIsInNjb3BlIjoiZW1haWwgcHJvZmlsZSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWRtaW4ifQ.brCZauRzLeoAHvxtgJy6PYwZhbInVfbLA6HF7YHmwuGzoDoexj97P1s03r2G5bzYUkL93sejEFT5AkPeoZ0gpzHY3IsG3UF7Q9Qvk3t5c08CcAqOn4czhYYV91fwwBWMgTv4sQh0D-_bSq0OtI5g9Ojo0sHzxleYEUW8UYdFsQ_JvpOnZEM87CzUhBqsDDnQ4kPslOaaG2q5PPY3ccNKHexE0UkxjtOeUoIn6tdf-0Yqwc55JCMzWOZmt3pFqWKfm3-VZX5lT0UTL9ktrrLfFTIMfZb-Lmyp2g3_s_juUpkbgPpBPHgh6IGS6XaOnxgseq1Vz4h6pZ_A0O60Z8R5-w' \
-d '[
{
"id": "12345678-1234-5678-1234-567812345678",
"name": "admin"
}
]'
I've faced the same issue and corrected it by using a GROUP, Basically, I've added the preferred ROLE into the User Groups ROLE LIST and used that specific user group while creating the user via REST API.
Eg:- ADMIN_USER_GROUP -> INCLUDED ('ADMIN_ROLE')
Then User creation API Request should be like below,
{
"firstName": "Sergey",
"lastName": "Kargopolov",
"email": "test4#test.com",
"enabled": "true",
"credentials": [
{
"value": "123"
}
],
"groups": [
"ADMIN_USER_GROUP"
]
}
I tried creating a request via postman with below Request Body with 1 input text,
{
"subject" : "Fill Up the Form",
"content" : "Form Data",
"formMetaData" : {
"id": "myform1234",
"controls": [{
"type": "Circuit.Enums.FormControlType.INPUT",
"name": "Your Name"
}]
}
}
But I am only getting the Content and Subject part in Circuit Sandbox. Form part is missing
Using the Rest API and not the SDK you should replace the ENUMS with strings for the control types.
I have a working code sample in Postman for this
curl -X POST \
https://beta.circuit.com/rest/v2/conversations/6aecff9e-1aa0-46f3-8e24-8519e2956291/messages \
-H 'Authorization: Bearer 11111omitted' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-F 'content=Please fill in the form below' \
-F 'subject=Test form' \
-F 'formMetaData={"id":"myformonbeta","title":"Test Form","controls":[{"type":"INPUT","name":"name","text":"What is your namne ?","rows":1},{"type":"BUTTON","text":"Send"}]}'
Hope this helps
I'm trying to use google automl object detection in a Unity project.
Here is the google curl command example:
curl -X POST \
-H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \
-H "Content-Type: application/json" \
https://automl.googleapis.com/v1beta1/projects/${PROJECT_ID}/locations/us-central1/models/model-id:predict \
-d '{
"payload" : {
"image": {
"imageBytes" : "/9j/4AAQSkZJRgABAQAAAQ … "
},
}
}'
After some googling, I start to create a UnityWebRequest to test response:
WWWForm form = new WWWForm();
var postUrl = "https://automl.googleapis.com/v1beta1/projects/1043345783500/locations/us-central1/models/IOD1798528344157847552:predict";
using (UnityWebRequest www = UnityWebRequest.Post(postUrl, form))
{
www.SetRequestHeader("Authorization", #"Bearer $(gcloud auth application-default print-access-token)");
yield return www.SendWebRequest();
if (www.isNetworkError)
{
Debug.Log(www.error);
}
else if (www.isDone)
{
Debug.Log(www.downloadHandler.text);
}
}
So the response from google is:
{
"error": {
"code": 401,
"message": "Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
"status": "UNAUTHENTICATED"
}
}
I understand that, I am not unauthenticated but couldn't understand how I can authenticate. Do I have to make an authentication request? How? Do I have to post something to get an access token? Then where should I send it?
I downloaded some credentials from google server but I really don't have any idea how to use it...