Experimenting with Keycloak as an Identity Provider. I'm running it by using the ./standalone.sh script.
So, I obtain the access_token like this:
curl --request POST \
--url http://localhost:8080/auth/realms/master/protocol/openid-connect/token \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data grant_type=client_credentials \
--data client_id=admin-cli \
--data client_secret=<the-client-secret-under-master-realm-for-admin-cli-client>
Response:
{
"access_token": "the-access-token",
"expires_in": 60,
"refresh_expires_in": 0,
"token_type": "Bearer",
"not-before-policy": 0,
"scope": "profile email"
}
And then quickly, under my test-realm I try to create a user as follows:
curl --request POST \
--url http://localhost:8080/auth/admin/realms/test-realm/users \
--header 'Authorization: Bearer the-access-token' \
--header 'Content-Type: application/json' \
--data '{
"firstName": "Sergey",
"lastName": "Kargopolov",
"email": "test#test.com",
"enabled": "true",
"username": "app-user"
}'
And I get hit with a 403:
< HTTP/1.1 403 Forbidden
< X-XSS-Protection: 1; mode=block
< X-Frame-Options: SAMEORIGIN
< Referrer-Policy: no-referrer
< Date: Thu, 28 Jan 2021 23:43:57 GMT
< Connection: keep-alive
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< X-Content-Type-Options: nosniff
< Content-Type: application/json
< Content-Length: 25
Is there something I'm missing? I'm following this tutorial and I'm doing everything exactly as described!
Edit: I tried the Password Grant way to obtain the Bearer Token and that worked, but NOT the client secret way. I obviously prefer the client secret way (which is where I'm stuck currently). What could be the issue here?
To create the user using the Keycloak Rest API, one just need to request from the admin-cli client a token on behalf of the admin user by providing its name and password, for instance as follows:
TOKEN=$(curl -k -sS -d "client_id=admin-cli" \
-d "username=$ADMIN_NAME" \
-d "password=$ADMIN_PASSWORD" \
-d "grant_type=password" \
http://$KEYCLOAK_IP/auth/realms/master/protocol/openid-connect/token)
from the $TOKEN object extract the access token (let us named $ACCESS_TOKEN).
And then create the user as follows:
curl -k -sS -X POST https://$KEYCLOAK_IP/auth/admin/realms/$REALM_NAME/users \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $ACCESS_TOKEN" \
-d "$USER_JSON_DATA"
$USER_JSON_DATA will be the json data representation of the user to be created. There is no need to add the role admin to the master admin deployed with Keycloak by default.
If setup normally, you would just need to know (as I already described) the admin's name and password, which is configured in the initial setup anyway.
If you click on the admin user > roles, you would see the following:
The admin user, has already the admin role.
Edit: I tried the Password Grant way to obtain the Bearer Token and
that worked, but NOT the client secret way. I obviously prefer the
client secret way (which is where I'm stuck currently). What could be
the issue here?
Now if you change the admin_cli configuration exactly as you did then you need to add to the Service-account-admin-cli user the role admin.
Now the problem is that Service-account-admin-cli user is hidden in the User section. Nonetheless, you can do the following:
Request again the admin token with your setup;
Go to Master Realm > Clients > admin-cli > Session > Click on [Show Session]:
click on the user service-account-admin-cli;
Go to Role Mappings;
Assign the admin role;
Since the service-account-admin-cli user has now the admin role, a token request on that user's behalf will contain the necessary privileges to create the users.
If the aforementioned does not work, then do the following go to:
Realm Master;
Clients > admin-cli;
Go to Mappers;
Click on [Create];
As Mapper Type select "Hardcoded Role";
Click on Select Role and selection "admin";
Click [Save].
Related
I followed this tutorial to setup Keycloak and create user but the response for the step of Generating Access Tokens With Keycloak's API 404. I'm using Keycloak version 18.0.0
In the logs of keycloak I found this error
2022-06-12 23:59:57,177 DEBUG [org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-3) Error response 404: javax.ws.rs.NotFoundException: RESTEASY003210: Could not find resource for full path: http://localhost:8080/auth/realms/test/protocol/openid-connect/token
From keycloak 17+ there are changes in resource or token URIs. Try removing auth from your request URL.
If you are using Keycloak version < 17
curl -k -H "Content-Type: application/x-www-form-urlencoded" -d "client_id=your-client" -d "username=some-user" -d "password=hardpassword" -d "grant_type=password" -X POST http://localhost:8080/auth/realms/yourrealm/protocol/openid-connect/token
If you are using Keycloak version > 17
curl -k -H "Content-Type: application/x-www-form-urlencoded" -d "client_id=your-client" -d "username=some-user" -d "password=hardpassword" -d "grant_type=password" -X POST http://localhost:8080/realms/yourrealm/protocol/openid-connect/token
You did set in Headers instead of Body.
Move the Key & Values to Body.
You can verify Token URL by click "OpenID Endpoint Configuration" link
It will show Token URL
I'm setting up Keycloak as an authentication server https://github.com/keycloak/keycloak/releases/download/12.0.0/keycloak-12.0.0.zip
Java 11
Documentation: https://github.com/keycloak/keycloak-documentation/blob/master/securing_apps/topics/oidc/oidc-generic.adoc
I can generate the access_token via /realms/{realm-name}/protocol/openid-connect/token
but I cannot call the userinfo endpoint /realms/{realm-name}/protocol/openid-connect/userinfo using a valid access_token which I get from the first API.
POST http://127.0.0.1:8080/auth/realms/test/protocol/openid-connect/token
{
client_secret: ...,
grant_type: ...,
client_id: ...,
}
response
{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIxOE..."
"expires_in": 3600,
"refresh_expires_in": 0,
"token_type": "Bearer",
"not-before-policy": 0,
"scope": "create"
}
But here is the result when I call the get user info API
GET http://127.0.0.1:8080/auth/realms/test/protocol/openid-connect/userinfo
Header: Bearer ${access_token}
Are there any suggestions?
Thank you
Post man test
Keycloak server's log is same
Keycloak bug
I think this is an issue on KC 12.0
When I use KC 11.0.3, above APIs work fine
https://github.com/keycloak/keycloak-community/issues/224
The Jira story:
https://issues.redhat.com/browse/KEYCLOAK-17217
Make sure you are calling the endpoint as follows.
First getting the token:
curl -d "client_id=$YOUR_CLIENT_ID" \
-d "client_secret=$YOUR_CLIENT_SECRET" \
-d "grant_type=client_credentials" \
http://127.0.0.1:8080/auth/realms/test/protocol/openid-connect/token)
Extract from the JSON response the access_token field (e.g., jq -r .access_token)
Then call the userinfo as follows:
curl -X GET http://127.0.0.1:8080/auth/realms/test/protocol/openid-connect/userinfo \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $ACCESS_TOKEN"
With Postman:
For a setup with Realm Name = "test", client_id = "test", client_secret = "63b61af0-5a99-41d7-8f9b-4e3059b8b9ab" and using client_credentials grant_type.
Getting the token:
and getting the userinfo:
EDIT
The approach below works with Keycloak 10.0.x, and 11.0.x, but gets exactly the same issues as OP's for the version Keycloak 12.0.x (including the latest release Keycloak 12.0.2).
This seams to be regression added with Keycloak 12.0.0 follow this issue for update information.
This question has been asked before but none of the solutions has worked for me.
I've created a bash script to register a new user on my key cloak server. The bashscript is shown below:
#!/bin/sh
RESULT=$(curl -s --location --request POST 'http://localhost:8180/auth/realms/master/protocol/openid-connect/token' --header 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'grant_type=client_credentials' --data-urlencode 'client_id=admin-cli' --data-urlencode 'client_secret=12345678-12a3-1234-bc12-d12345678910');
TOKEN=$(echo $(echo "$RESULT" | jq .access_token))
TOKEN=$(echo "${TOKEN//\"}")
echo "$TOKEN\n\n"
USER=$(curl --location -v --request POST 'http://localhost:8180/auth/admin/realms/MyMarketplace/users' --header 'Content-Type: application/json' --header "Authorization: Bearer $TOKEN" --data-raw '{"enabled":"true", "username":"app-user"}');
echo $USER;
When I run this script, I keep getting the following output:
HTTP/1.1 403 Forbidden
< Connection: keep-alive
< X-XSS-Protection: 1; mode=block
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< Content-Type: application/json
< Content-Length: 25
< Date: Fri, 17 Jul 2020 20:11:40 GMT
<
{ [25 bytes data]
100 66 100 25 100 41 974 1597 --:--:-- --:--:-- --:--:-- 1640
* Connection #0 to host localhost left intact
{"error":"unknown_error"}
I'm not sure why. Here's what I've tried:
I've made sure that the URL that I'm sending the request to is correct.
I've made sure that the username is unique and that I've provided all mandatory fields.
In the MyMarketplace realm, I added a realm role 'admin' with a client role 'manage-users' from client 'realm-management' and I assigned this realm role to my client's scope (as per the steps given in this answer)
In the Master realm, I assigned the manage-users role to the client admin-cli's scope.
None of these has yielded any results so I've run out of options.
I would greatly appreciate it if someone could help me understand what I'm missing.
use http://localhost:8180/auth/realms/MyMarketplace/protocol/openid-connect/token to obtain access_token and give admin-cli client manage-users role from realm-management client in Service Account Roles and then call http://localhost:8180/auth/admin/realms/MyMarketplace/users with access token in header and "enabled": true, "username": "user" body.
make sure your enabled boolean look like this one and dont use "" I think keycloak reads your request as String.
I think it will fix your problem.
Use and configure admin-cli client as you did, but in MyMarketplace realm. Don't use the master realm.
At the moment, in order to restart a Mule application, I need to:
Log into Mule via a browser
Navigate to the Runtime Manager
Select my environment
Locate my application
Navigate to Settings
Then restart
I know that MuleSoft have a Management API (CloudHub API), but I cannot find an example of how to restart an application via a REST call.
If anyone has a working example or can point me in the right direction I would appreciate it.
Thanks
Just in case if anyone wants to know how to restart a Mule application hosted on CloudHub via REST API.
Call this API
https://anypoint.mulesoft.com/cloudhub/api/applications/{domain}/status with payload "RESTART"
API Endpoint: /applications/{domain}/status
Method: POST
Example payload in request body:
{
"status": " 'RESTART' or 'stop' or 'start' ",
"staticIpAddress": "10.4.6.22"
}
Postman code snippet: update the bearer token, domain and environment id
curl --request POST \
--url https://anypoint.mulesoft.com/cloudhub/api/applications/{cloudhub-app-
domain}/status \
--header 'Authorization: Bearer token' \
--header 'Content-Type: application/json' \
--header 'Postman-Token: 42539dcd-1d33-4b66-80d9-6cfcc4ed8f77' \
--header 'X-ANYPNT-ENV-ID: environment ID' \
--header 'cache-control: no-cache' \
--data '{\n "status":"RESTART"\n}'
First, you need to install the runtime manager agent
https://docs.mulesoft.com/runtime-manager/installing-and-configuring-runtime-manager-agent
Second, you can find an example in below link:
https://docs.mulesoft.com/runtime-manager/managing-applications-and-domains
Operation: Restart an Application
PUT http://localhost:9999/mule/applications/myapp/restart HTTP/1.1
Content-Type: application/json
Further to developer9's answer, here's how to obtain the Bearer token:
https://anypoint.mulesoft.com/exchange/portals/anypoint-platform/f1e97bc6-315a-4490-82a7-23abe036327a.anypoint-platform/access-management-api/version/v1/pages/Authentication/
To access Platform APIs, you must obtain a token from either the login
endpoint or using the OAuth authorization process.
To authenticate using a username and password, you must invoke the /login API.
POST /accounts/login HTTP/1.1
Content-Type: application/json
{
"username" : "joe",
"password" : "password"
}
This returns the following response and token:
{
"access_token": "d127e2ec-a703-4e2a-8629-e9158804748b",
"token_type": "bearer"
}
You can then use that in the restart (or other API request). Eg (note, update the bearer token, domain and environment id)
curl --request POST \
--url https://anypoint.mulesoft.com/cloudhub/api/applications/{cloudhub-app-
domain}/status \
--header 'Authorization: Bearer d127e2ec-a703-4e2a-8629-e9158804748b' \
--header 'Content-Type: application/json' \
--header 'Postman-Token: 42539dcd-1d33-4b66-80d9-6cfcc4ed8f77' \
--header 'X-ANYPNT-ENV-ID: environment ID' \
--header 'cache-control: no-cache' \
--data '{\n "status":"RESTART"\n}'
I am trying to add 100 of users to a group in crowd and I want to automate it using curl and crowd's rest api. At first I am just trying to add a singleuser to a group and then auotmate it using shell script. Following this document, I pass the command as
curl -X POST{"name":"groupname"} -ik -u application:password-H 'Content-Type: application/json' -H 'Accept: application/json' https://localhost/crowd/rest/usermanagement/1/user/group/direct?username=username.
I am getting the following error.
HTTP/1.1 405 Method Not Allowed
Server: Apache-Coyote/1.1
X-Embedded-Crowd-Version: Crowd/2.8.3
X-Crowd-User-Management-Version: 1.4
Set-Cookie: JSESSIONID=17490A660F9A2267B378CD767CEADDF8; Path=/crowd/; Secure; HttpOnly
Allow: HEAD,DELETE,POST,GET,OPTIONS
X-Content-Type-Options: nosniff
Content-Type: text/html;charset=utf-8
Content-Language: en
Content-Length: 1013
Date: Mon, 29 Jun 2015 02:56:15 GMT
FYI: I am using a application to authenticate against crowd via rest. Please suggest on what I need to do and how should I do.
P.S. I also need to figure out on adding hudreds of groups to crowd too.
You are missing a space between POST and your data.
To post data use:
-d, --data
(HTTP) Sends the specified data in a POST request to the HTTP server,
in the same way that a browser does when a user has filled in an HTML
form and presses the submit button. This will cause curl to pass the
data to the server using the content-type
application/x-www-form-urlencoded. Compare to -F, --form.
So the command should be:
curl -X POST -d {"name":"groupname"} -ik -u application:password -H 'Content-Type: application/json' -H 'Accept: application/json' https://localhost/crowd/rest/usermanagement/1/user/group/direct?username=username
From Crowds Docs,
Authentication Access to all resources (using any method) requires the
client to be authenticated via basic authentication. See RFC 2617.
Your environment must retain cookies set by the Crowd server and
retransmit them on subsequent calls, otherwise Crowd will have to
re-authenticate the application on every REST call.
So first authenticate your self and store the cookies, (make note of --cookie-jar parameter)
curl -i -u application_name:application_password --data '{"value": "my_password"}' http://localhost:8095/crowd/rest/usermanagement/1/authentication?username=my_username --header 'Content-Type: application/json' --header 'Accept: application/json' --cookie-jar cookies.txt
So as per docs on subsequent calls use the cookies (using --cookie parameter)
curl -X POST -d {"name":"groupname"} -ik -u application:password -H 'Content-Type: application/json' -H 'Accept: application/json' https://localhost/crowd/rest/usermanagement/1/user/group/direct?username=username --cookie cookies.txt