I try to access every role for the user 7b244fd8-5e1a-43af-9572-91d50784fda7 and found this code (Keycloak User Roles missing in REST API):
GET /auth/admin/realms/{realm}/users/{user-uuid}/role-mappings/clients/{client-uuid}
This is why I try to make the following GET request (Bearer token correctly provided)
https://mywebsite.com/auth/admin/realms/master/users/7b244fd8-5e1a-43af-9572-91d50784fda7/role-mappings/clients/admin-cli
I get an {"error": "Client not found" } error.
I guess the "admin-cli" in my code is wrong, but this is the Client ID in the master realm. Is this the wrong id? How can I make the request to get all roles for a specific user working?
I get an {"error": "Client not found" } error.
I guess the "admin-cli" in my code is wrong, but this is the Client ID
in the master realm. Is this the wrong id? How can I make the request
to get all roles for a specific user working?
You should use the ID of the client and not the client ID, which you can find on the url:
or via Rest Admin API:
GET /auth/admin/realms/{realm}/clients?clientId=$CLIENT_ID
The /auth path was removed starting with Keycloak 17 Quarkus distribution, in that case the endpoint would be:
GET /admin/realms/{realm}/clients?clientId=$CLIENT_ID
Related
I have configured our Azure Data Factory with a REST Link Service. I have obtained a valid token from the end service.
The token successfully works when using the token with POSTMAN, but the token returns Error status code 401 Unauthorized with Azure Data Factory.
As you can see with POSTMAN when I send a GET request with the Token I get data back:
However, with Azure Data Factory I get the error:
{
"errorCode": "2200",
"message": "Failure happened on 'Source' side. ErrorCode=RestCallFailedWithClientError,'Type=Microsoft.DataTransfer.Common.Shared.HybridDeliveryException,Message=Rest call failed with client error, status code 401 Unauthorized, please check your activity settings.\nRequest URL: https://pm2.preqinsolutions.com/apiCore/api/countries.\nResponse: ,Source=Microsoft.DataTransfer.ClientLibrary,'",
"failureType": "UserError",
"target": "Copy data1",
"details": []
}
The ADF Link Service is a follows:
Can someone see something obvioius that would prevent access due 401 Unauthorized status with ADF?
I have also tried the following ADF configuration. However, I'm getting the same error:
Please try changing the authHeader name to Authorization and the value to Bearer <your API key>. I suspect from the screenshot of Postman that is what it’s doing. If that does not work then please provide a link to the documentation. This explains Bearer tokens.
You might also check the lifetime of your access token and make sure it doesn’t expire after an hour, for example.
I did a quick test against a REST API I know (Power BI REST API). The linked service looks like this and the value for the Authorization header was Bearer MY_ACCESS_TOKEN_HERE.
The dataset looks like:
The source of the Copy activity looks like:
This succeeded.
I would suggest you contact pm2.preqinsolutions.com support to see if they can provide more information on your access token / API key and have them confirm that the API isn't restricted to be accessed from only certain allowed API addresses. (ADF will not be accessing it from an on-premises IP address like your laptop.) You might also change the REST API linked service to use a self-hosted integration runtime instead of an Azure integration runtime to validate the IP address the API is called from isn't the issue.
In my project, I need to get current user password from Rest API.
I searched keycloak 4.8.3 final documentation but I could not find it. With admin user I can change password without knowing the current password. But my logged in user can be admin or not. I found that keycloak does not give me permission to that because of security. Wrap up is there any way to active that settings or is there a way to get password with Rest API ?
Thank you.
Update: The /auth path was removed starting with Keycloak 17 Quarkus distribution. So you might need to remove the /auth from the endpoint calls presented on this answer.
Via the Rest API, one cannot get the password for obvious reasons. Ideally, in a secure setting, even if one is the admin one should not have access to the users' passwords.
From the comments you wrote:
I could use method like boolean isPasswordCorrect(username,password)
An approach is to create a client on your Realm as follows:
Go to your Realm;
Clients;
Create Client;
Set Access Type to public;
Set Direct Access Grants Enabled to ON;
Save;
Now request from the newly created client a token on behalf of the user that you want to check if the password is correct:
As you can see the endpoint is:
<KEYCLOAK_HOST>/auth/realms/<REALM_NAME/protocol/openid-connect/token
and the body is:
client_id : <The client ID of the newly create client>
username : <The username>
password : <The password to be tested>
grant_type : password
If the password is correct you will get back a token object, otherwise you will get the following response:
{
"error": "invalid_grant",
"error_description": "Invalid user credentials"
}
I have tried this URL : http://lists.jboss.org/pipermail/keycloak-user/2018-September/015665.html, though with no help.
i have an access token to call admin API's
Xtreme Biker is right.
I could get the url from UI console.
/realms//clients//installation/providers/keycloak-oidc-keycloak-json
using client name, client-id can be retrieved using endpoint
/auth/admin/realms/${realm}/clients?clientId=
The catch is the access token that has to be supplied to the admin endpoints to respond successfully.
Access token shall be retrieved using a credentials of a user who has 'manageclients' access to the client role of the realm under which the client is registered.
I have tried to get uber driver profile information using the following URL,
GET: https://api.uber.com/v1/partners/me
As a first step I have set scopes as follows in the authorization step and get the access token,
https://login.uber.com/oauth/v2/authorize?client_id={cliend_id}&response_type=code&response_type=code&scope=profile%20history%20request%20places
All working fine but when I try to get profile information, I got this error:
{
"message": "This endpoint requires at least one of the following scopes: partner.accounts, partner.admin_accounts",
"code":"unauthorized"
}
Driver API is with limited access. In order to access Driver API endpoints, you will need to apply for scope whitelisting - in your case it is partner.accounts. You can apply for access to Driver API here: https://developer.uber.com/products/drivers but just as a heads up access granting is currently very limited.
So after we review your access request - and you get access to the scope - please select it on your application dashboard - and when you authenticate your users - you will authenticate your users with this scope - and be able to access "GET /v1/partners/me" endpoint.
I'm implementing an Ouath2 authentication with Spring for our mobile API. So far it works but I don't know how I should keep the resource server separate. So I have an auth server which gives out tokens and refresh tokens using the password grant-type. Meaning the user would log into the mobile app, which sends the auth server the client id/client secret along with the user's
credentials, which results in an access token and a refresh token for the user with the appropriate (ROLE_USER) privileges. Another web based client is for the admins who do the same and get the ROLE_ADMIN privilege etc.
This works well so far.
Now if any client sends a request to the resource server what should happen? Should the resource server check the token's validity? If so in what way? Or should the auth server copy the token into the resource-server's database?
If you #EnableResourceServer you get a filter that checks access tokens. It needs to share a TokenStore with the auth server. That's about it to get something working.