Keycloak returns Unauthorized 401 - rest

I'm running bitnami's Keycloak image on my local.
what I want to do is; use Keycloak REST APIs.
but no matter how hard I try, I'm getting 401.
I have done what's written in the doc. so this is a screenshot of the client. access type is confidential, and a service account is enabled. this is testapi client that I created;
here you can see the service account roles;
to view and manage users, I assigned manage-users and view-user roles.
firstly, to get the access_token , I'm using client_id and client_credential.
as you can see from here;
I have no problem getting the access token.
but when I try to get the user list or create a new user, I always get 401.
here you can see that I used the SAME access_token that I got from the http://localhost:8092/auth/realms/test/protocol/openid-connect/token
it doesn't make sense. I started to think about smashing the computer.
any help would be greatly appreciated

it doesnt work like this ,the process of getting users is as below:
First try to get access token for admin
POST http://localhost:8080/realms/master/protocol/openid-connect/token
the body of ur request will be x-wwww-url-encoded
client_id = admin-cli
username=admin
password=admin's password
grant_type=password
the response contains access token for admin
Second step is to get users of your realm in your case is test
Get http://localhost:8080/admin/realms/test/users
and pass the bearer token of admin in this request

Related

Microsoft Graph API: Getting ErrorAccessDenied for multi-tenant application with application permission

I'm writing a daemon app for my customers (multiple tenants) who are using outlook.
I'm using 2 application permissions that need admin consent - Mail.ReadBasic.All and
User.Read.All. my app first needs to read all the users' ids, then get all the metadata of their emails.
I've created a new tenant with office365 to test this, let's call it - test, and sent a couple of emails between 2 users.
So, at first, I'm redirecting the admin of the test org to the adminconsent endpoint, where he/she is granting application permissions to my app. This is the URL I'm using:
https://login.microsoftonline.com/organizations/v2.0/adminconsent?
client_id=<the app ID>
&state=<some state>
&redirect_uri=<my redirect URL as written in the app configuration>
&scope=https://graph.microsoft.com/.default
After calling this endpoint I can see my app listed in the test org under the Enterprise applications and can see the relevant permissions were granted by an admin.
Since I'm not getting a code from this flow (needed for the oAuth2 authentication flow), I then need to ask the admin to login again. I'm using this URL for that:
https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?
client_id=<same app ID>
&response_type=code
&redirect_uri=<same redirect URL>
&scope=https://graph.microsoft.com/.default+offline_access+openid+profile
&state=<some state>
After the login is successful I'm getting a code back to my redirect URL and after another request, I'm getting an access token. Using this access token I'm trying to access any of the following APIs:
https://graph.microsoft.com/v1.0/users
https://graph.microsoft.com/v1.0/users/user-id-of-user-in-test-org/messages
But I'm getting ErrorAccessDenied with a message: Access is denied. Check credentials and try again.
Further information:
I'm using python and the MSAL package to build the app (using the class - ConfidentialClientApplication) and the URLs for the authentication flow (but not for the adminconsent endpoint, as I couldn't find out how to do it)
Do you know what I'm doing wrong? I'm losing my mind over this... :(
This page should describe everything you need:
https://learn.microsoft.com/graph/auth-v2-service
The admin consent URL should be specific to the customer's tenant. You can use the word common if you want to allow signing into any tenant.
https://login.microsoftonline.com/{tenant}/adminconsent
You also must URL encode the redirect_uri param (and all other params). For some reason the example in that document is not URL encoded, but the value here must be URL encoded. You should see no colons, slashes, ampersands, etc. for this parameter.
For a different example that requests specific scopes for admin consent (instead of the default which is all the scopes you listed during your AAD client app registration) see https://learn.microsoft.com/azure/active-directory/develop/v2-admin-consent.
You will receive a callback to the redirect URI to indicate everything worked. This includes the tenant ID that granted you admin consent.
After that you initiate a separate token request call for the tenant ID, your application client ID and a specific requested scope. This will then return an appropriately scoped access token which you can use directly in all API calls. You can do this like so: https://learn.microsoft.com/azure/active-directory/develop/scenario-daemon-acquire-token?tabs=python#acquiretokenforclient-api
# The pattern to acquire a token looks like this.
result = None
# First, the code looks up a token from the cache.
# Because we're looking for a token for the current app, not for a user,
# use None for the account parameter.
result = app.acquire_token_silent(config["scope"], account=None)
if not result:
logging.info("No suitable token exists in cache. Let's get a new one from AAD.")
result = app.acquire_token_for_client(scopes=config["scope"])
if "access_token" in result:
# Call a protected API with the access token below.
print(result["token_type"])
else:
print(result.get("error"))
print(result.get("error_description"))
print(result.get("correlation_id")) # You might need this when reporting a bug.
Hope that helps. The article above has all the details.

Auth0 management api returns unauthorized - invalid token

I want to check if email address already registered in auth0 user store by call:
GET: https://myDomain.auth0.com/api/v2/users-by-email?email=example#example.com
And passing authorization header bearer with access token created by :
POST : https://myDomain.auth0.com/oauth/token
with the following body:
{"client_id":"xyzyAH0BU8dLdxxxx4NNpq37iO","client_secret":"aqVUk2du49qVjxxxxxxxxxxxxx2GniPF5nfS36K-N3nixxxxzcPvh","audience":"audience_from_control_panel","grant_type":"client_credentials"}
I added the required scope to my api read:users
can anyone tell me what I missed?
In the post request where you generate the token, have you tried changing the audience to https://myDomain.auth0.com/api/v2.
Check if the permission (not sure which one you do need here) is granted on APIs/Machine to Machine Applications.

How to activate the REST API of keycloak?

I have installed keycloack server 4.3.4.
How to activate the REST API of keycloak (Add a user, enabled user, disabled a user ...) ?
Regards
First step to do that is create an admin account (which you would have been prompted to do as soon as you would have opened {keycloak-url}/auth ).
Next steps depend on how you want to create config. Through Admin console GUI or through Rest API.
Steps to do this through Admin Rest API.
First , you will have to get a token from {keycloak-url}/auth/realms/master/protocol/openid-connect/token like this:
Note that only change you have to do in below call is your keycloak server address and value of admin username and password.
Once you obtain a token from above call, you can use it on other Admin Rest API calls by setting Authorization header, with Bearer token_value. (replace token_value with one obtained in step 1 above)
(Sharing an example below of sample rest call which gets list of users - https://www.keycloak.org/docs-api/10.0/rest-api/index.html#_users_resource )
{{SERVER}}/auth/admin/realms/myRealm/users
EDIT:
As pointed out by #Shane : as of Keycloak version 19.0.1 the /auth part of the urls have been removed.
In complement to the answer above, even with your access token, you might not have access to certain endpoints if you do not have permissions for that. To do so, you need to be assigned to specifics realm roles. For instance:
Available in the Roles>Composite Roles>Client roles. Or you can set it up in user role-mapping tab.
It happened to me once ago. Without these assigned roles, I could get the access token, but empty clients list, for example.

How automatically getting token in Postman

I use the Postman desktop app for web API testing. I have a lot of controllers and for each need a token. First I get Bearer token and then copy it to other requests. This token have limit time. Can I get token automatically and then automatically set it to all others requests ?
ok, I just used Environments in postman.
1 - create new Environment with token.
2 - add test after auth request like this :
var jsonData = JSON.parse(responseBody);
var token = jsonData._token;
postman.setEnvironmentVariable("token", token);
3 - just set {{token}}
And of course you can set token before request if you use Pre-request Script in one of requests.
Write below code in tests tab in postman for your login request.
if(pm.response.code === 200) {
pm.environment.set('authToken', pm.response.json().token)
}
Then edit your collection and set your env authToken inside.
You can save and re-use the token's using the Token Name from Postman. You can select it from the available token list.
One of the many cases are.
Request for a refresh token using the credentials
Use the refresh token to get an access token
Use the access token to authenticate the API.
The step 1 sometimes requires us to login to an interface of the API provider and get an authentication code to our callback url. Some API provider's allow us to override this by providing the client_secret key and the client_id as an authorization header and the refresh token as the request parameters and by setting prompt as none.
From the documentation.
prompt (optional)
none no UI will be shown during the request. If this is not possible (e.g. because the user has to sign in or consent) an error is returned.
https://identityserver.github.io/Documentation/docsv2/endpoints/authorization.html
All you need to know about the identity servers are here.
https://identityserver.github.io/Documentation/

Fiware get access token seems to get wrong

We are having troubles with getting the access token from fiware since 4th August.
We are using this URL to ask for the token: https://orion.lab.fiware.org/token but it seems like it does not work.
Before using that URL we used to ask for this one:
http://cloud.lab.fi-ware.org:4730/v2.0/tokens
Could anyone, please, help us?
Thank you in advance.
It depends on how you want to get the token. The current OAuth2 URL to get the tokens is https://account.lab.fiware.org/oauth2/token. This is the central authority for authentication, if you are accessing any common GE, but you will need to register your application in FIWARE Account and use your application credentials and some OAuth2 grant to get it.
If you want to get the token for the global instance without using a registered application, the URL you have mentioned contains a token service that can give you a valid token for your user and that purpose. You can test it (and see an example) with the following script:
https://raw.githubusercontent.com/fgalan/oauth2-example-orion-client/master/token_script.sh