The user sends me its id and password.
Then I want to check if it is valid on the keycloak.
I can try to log in, but the session is created in keycloak.
I even thought about to log out after logging in.
But this is very inefficient.
Is there a way to check if id and passwd are valid without creating a session?
If there was such a way, my task will be very easy.
If there is no way, I have to log in instead of my user and manage the token instead.
This is relatively more complex to implement.
As far as I know out-of-the-box there is no way to avoid creating the session.
If there is no way, I have to log in instead of my user and manage the
token instead. This is relatively more complex to implement.
Not really, since, the password and username are handed to your application, you can use the following approach:
Create in Keycloak a client (in the appropriate Realm) with direct grand access flow enabled (know as Resource Owner Password Flow in OAuth2);
Set the Access token for that client to be very short living (e.g., one minute).
Make a POST request with the username and password to the client, something as follows:
curl --request POST \
--url "http://$KEYCLOAK_HOST/auth/realms/$REALM_NAME/protocol/openid-connect/token" \
--data client_id=$CLIENT_ID \
--data username=$USERNAME \
--data password=$PASSWORD \
--data grant_type=password
If you get back as a response a token, then it means that the user credentials are valid, if not then those credentials are invalid.
In case you get back the token, you can explicitly logout the session, for instance as follows:
ACCESS_TOKEN=$(echo $TOKEN | jq -r .access_token)
SESSION_STATE=$(echo $TOKEN | jq -r .session_state)
curl -k -X DELETE "http://$KEYCLOAK_HOST/auth/admin/realms/master/sessions/$SESSION_STATE" \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $ACCESS_TOKEN"
Or since the access token is very short living, let Keycloak eventually clean up the session.
Related
I am trying to make a call https://api.github.com/repos/OWNER/REPO/actions/runners/registration-token with an users personal access token that has repo permissions.
To do so I am testing with:
curl -I -X POST -H "Authorization: token <OAUTH_TOKEN> Accept: application/vnd.github.v3+json" https://api.github.com/repos/<owner>/<repo-name>/actions/runners/registration-token which gives me Bad Credentials error
curl -I -H "Authorization: token <OAUTH_TOKEN>" https://api.github.com/users/<USER_NAME> ->
x-oauth-scopes: repo
x-accepted-oauth-scopes:
According to this: https://docs.github.com/en/rest/actions/self-hosted-runners I need to provide an oauth token with repo access.
If I curl the user curl -H "Authorization: token <OAUTH_REPO_TOKEN>" https://api.github.com/users/<USER>/repos -> []. But if I go to the repo and check settings -> Collaborators And Teams, the user is listed as part of the team with admin privledges, and I have also added an entry for the user directly.
Is there something I am missing? What permissions do I need to add to fix this?
I needed to call the API with a user name as well. For example:
curl -I -X POST -u <USER>:<OAUTH_REPO_TOKEN> -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/<owner>/<repo-name>/actions/runners/registration-token. Passing a -v option reveals that it was not setting a username, and causing github to reject the call.
How I can set user attribute value using Keycloak Rest API?
Update: The /auth path was removed starting with Keycloak 17 Quarkus distribution. So you might need to remove the /auth from the endpoint calls presented on this answer.
To set a user attribute using the Keycloak Admin REST API; you use the endpoint:
PUT <KEYCLOAK_HOST>/auth/admin/realms/<YOUR_REALM>/users/<USER_ID>
with the payload
{"attributes":{"<ATTRIBUTE_NAME>":["<ATTRIBUTE_VALUE>"]}}
the <USER_ID> you can get it using the endpoint:
GET <YOUR_KEYCLOAK_DOMAIN>/auth/admin/realms/<YOUR_REALM>/users/?username=<THE_USERNAME>
from the JSON response, extract the field id.
Step-by-Step:
You can get that information using the Keycloak Admin REST API; to call that API, you need an access token from a user with the proper permissions. For now, I will be using the admin user from the master realm:
curl https://${KEYCLOAK_HOST}/auth/realms/master/protocol/openid-connect/token \
-d "client_id=admin-cli" \
-d "username=$ADMIN_NAME" \
-d "password=$ADMIN_PASSWORD" \
-d "grant_type=password"
You will get a JSON response with the admin's token. Extract the value of property access_token from that response. Let us save it in the variable $ACCESS_TOKEN for later reference.
To get the user id from your realm $REALM_NAME:
curl -X GET https://${KEYCLOAK_HOST}/auth/admin/realms/${REALM_NAME}/users/?username=${USERNAME}&exact=true \
-H "Content-Type: application/json" \
-H "Authorization: bearer $ACCESS_TOKEN"
From the response extract the user id for example as follows
jq -r .[].id
Or even cleaner is to passed to the
To set the user attribute:
curl -X PUT https://${KEYCLOAK_HOST}/auth/admin/realms/${REALM_NAME}/users/${USER_ID} \
-H "Content-Type: application/json" \
-H "Authorization: bearer $ACCESS_TOKEN" \
-d '{"attributes":{"<ATTRIBUTE_NAME>":["<ATTRIBUTE_VALUE>"]}}'
You can also have a look at setUser script on my GitHub repo.
As admin of a Keycloak server, how can I obtain access-token of a particular user without knowing his password? Unfortunately impersonation doesn't help me because it does not contain neither his id nor his username.
There's a feature starting from keycloak 3.4.0 called token exchange wich allows you to exchange an access token from a user with impersonation permission to get other token on behalf of the other user. You can use the token endpoint this way:
curl -X POST \
-d "client_id=starting-client" \
-d "client_secret=geheim" \
--data-urlencode "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
-d "subject_token=...." \
--data-urlencode "requested_token_type=urn:ietf:params:oauth:token-type:access_token" \
-d "audience=target-client" \
-d "requested_subject=wburke" \
http://localhost:8080/auth/realms/myrealm/protocol/openid-connect/token
You might find this post useful too.
As a federated user, it must use an API key or one-time passcode to authenticate. I have tried to execute that the below curl request:-
Example :-
Input :-
curl -s -u 'bx:bx' -k -X POST --header 'Content-Type: application/x-www-form-urlencoded' --header 'Accept: application/json' -d "grant_type=password&response_type=cloud_iam,ims_portal&username=${1}&password=${2}&ims_account=${3}" https://iam.ng.bluemix.net/oidc/token
Output :-
"errorMessage":"You cannot authenticate with user name and password, as you are a federated user","errorDetails":"Your user id '<<><><>>' is federated and must use an API key or one-time passcode to authenticate"
But how we authenticate the user to generate the iam_token and iam_user_id?
Reference :-
https://softlayer.github.io/rest/IBMidtoSLKey/
The code snippet you reference from the SoftLayer guide has the result of setting the SoftLayer Username and API key:
echo "SL_USERNAME: $SL_USERNAME"
echo "SL_API_KEY: $SL_API_KEY"
This is a roundabout way to find the same information that is listed as API Username and Authentication Key seen in your User Profile. If you do not see an API username and Authentication Key, you can create one on the Actions menu next to your name in the User List.
You can then execute Infrastructure APIs, which I expect is the ultimate goal.
export IAAS_USERNAME=<API Username>
export IAAS_KEY=<Authentication Key>
curl -u $IAAS_USERNAME:$IAAS_KEY https://api.softlayer.com/rest/v3/SoftLayer_Account/getAllBillingItems
It's unclear if the discussion around IAM tokens is necessary. Please provide more guidance on what you're trying to achieve if the above suggestion is insufficient.
I have a bitbucket cloud account. Under: https://id.atlassian.com/manage/api-tokens I have generated an API Token which I am trying to use in a REST call to upload
a public SSH key to my account. Based on:
https://docs.atlassian.com/bitbucket-server/rest/5.6.2/bitbucket-ssh-rest.html?utm_source=%2Fstatic%2Frest%2Fbitbucket-server%2F5.6.2%2Fbitbucket-ssh-rest.html&utm_medium=301#idm45427244388592
https://community.atlassian.com/t5/Answers-Developer-Questions/Bitbucket-REST-API-POST-using-token-instead-of-basic-auth/qaq-p/474823
I have tried:
curl -X POST -d '{"text":"ssh-rsa AAAAB3... me#127.0.0.1"}' -H "Authorization: Bearer ADasdaEeasAsd..." https://bitbucket.org/[my-account]]/rest/ssh/latest/keys
But when I run that I get:
{"type": "error", "error": {"message": "Access token expired. Use your refresh token to obtain a new access token."}}
I have tried to re-create the token and re-run the above command again - with the new token - but I get the same error.
Any suggestions?
Based on below answer and link I have now tried:
curl -X POST \
-H "Content-Type: application/json" \
-H "Authorization: Bearer wxdrtblabla..." \
-d '{"key": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKqP3Cr632C2dNhhgKVcon4ldUSAeKiku2yP9O9/bDtY myuser#bitbucket.org/myuser"}' \
https://api.bitbucket.org/2.0/users/myuser/ssh-keys
But I get the exact same error:
{"type": "error", "error": {"message": "Access token expired. Use your refresh token to obtain a new access token."}}
So still no luck. Also if I access:
https://api.bitbucket.org/2.0/users/[myuser]/ssh-keys
directly in a browser I get:
type "error"
error
message "This API is only accessible with the following authentication types: session, password, apppassword"
EDIT/ANSWERED: Based on the updated answer below I have no tried to create an app password and grant it account: read/write in bitbucket and it works. I run it with:
curl -v -u myuser:my-generated-app-password -X POST \
-H "Content-Type: application/json" \
-d '{"key": "ssh-rsa AAA....ro"}' \
https://api.bitbucket.org/2.0/users/myuser/ssh-keys
You're looking at Bitbucket Server documentation but using Bitbucket Cloud. (The giveaways: the "bitbucket-server" part of the doc path, and the "bitbucket.org" in the path where you're pushing your key.)
Check out https://developer.atlassian.com/bitbucket/api/2/reference/resource/users/%7Busername%7D/ssh-keys#post instead - that's the Bitbucket Cloud documentation to do what you're trying to do. Your URL will be more like https://api.bitbucket.org/2.0/users/[your-account]/ssh-keys.
EDIT: The error you received indicates the problem: you either need to make that call from within an existing session (i.e. from the GUI), use your password, or use an app password. I'd recommend the app password, since it's scoped, meant to be disposable, and won't let you log onto the GUI. Your curl call then becomes something like curl -u myuser:myapppassword -X POST -H "Content-Type: application/json" -d '{"key": "key content goes here"}' https://api.bitbucket.org/2.0/users/myuser/ssh-keys.