I am checking the Keycloak documentation.
I am trying to figure out which endpoint should I use for deleting specific user from KeyCloak. I am using it within my Symfony project on REST Api..
Could someone clearfy that for me?
First you need to get an access token from a user with admin-alike permission, for instance:
curl -d "client_id=admin-cli" \
-d "username=$ADMIN_NAME" \
-d "password=$ADMIN_PASSWORD" \
-d "grant_type=password" \
<YOUR_KEYCLOAK_DOMAIN>/auth/realms/master/protocol/openid-connect/token
From that response (i.e., a Keycloak Token Object), extract the access token. Then you need to use that access token, to call the following endpoints:
To delete a user you need to use the endpoint:
DELETE <YOUR_KEYCLOAK_DOMAIN>/auth/admin/realms/<YOUR_REALM>/users/{USER_ID}
to get the USER_ID you can call the endpoint:
GET <YOUR_KEYCLOAK_DOMAIN>/auth/admin/realms/<YOUR_REALM>/users/?username=<THE_USERNAME>
or you can copy and paste from the Keycloak Admin Console, under the tab users:
Related
The user sends me its id and password.
Then I want to check if it is valid on the keycloak.
I can try to log in, but the session is created in keycloak.
I even thought about to log out after logging in.
But this is very inefficient.
Is there a way to check if id and passwd are valid without creating a session?
If there was such a way, my task will be very easy.
If there is no way, I have to log in instead of my user and manage the token instead.
This is relatively more complex to implement.
As far as I know out-of-the-box there is no way to avoid creating the session.
If there is no way, I have to log in instead of my user and manage the
token instead. This is relatively more complex to implement.
Not really, since, the password and username are handed to your application, you can use the following approach:
Create in Keycloak a client (in the appropriate Realm) with direct grand access flow enabled (know as Resource Owner Password Flow in OAuth2);
Set the Access token for that client to be very short living (e.g., one minute).
Make a POST request with the username and password to the client, something as follows:
curl --request POST \
--url "http://$KEYCLOAK_HOST/auth/realms/$REALM_NAME/protocol/openid-connect/token" \
--data client_id=$CLIENT_ID \
--data username=$USERNAME \
--data password=$PASSWORD \
--data grant_type=password
If you get back as a response a token, then it means that the user credentials are valid, if not then those credentials are invalid.
In case you get back the token, you can explicitly logout the session, for instance as follows:
ACCESS_TOKEN=$(echo $TOKEN | jq -r .access_token)
SESSION_STATE=$(echo $TOKEN | jq -r .session_state)
curl -k -X DELETE "http://$KEYCLOAK_HOST/auth/admin/realms/master/sessions/$SESSION_STATE" \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $ACCESS_TOKEN"
Or since the access token is very short living, let Keycloak eventually clean up the session.
Is there any option to recover Personal Access Token in Github?
Because my app is using the PAT in composer and I don't want to replace it.
You would need to replace it (OAuth Authorizations), since a token cannot be accessed after the generation step.
In a bash shell:
curl https://api.github.com/authorizations \
-X POST \
--user "YourGitHubUsername" \
--data '{"scopes":["gist","repo],"note":"new token"}'
(replace "new token" by something more meaningful)
How I can set user attribute value using Keycloak Rest API?
Update: The /auth path was removed starting with Keycloak 17 Quarkus distribution. So you might need to remove the /auth from the endpoint calls presented on this answer.
To set a user attribute using the Keycloak Admin REST API; you use the endpoint:
PUT <KEYCLOAK_HOST>/auth/admin/realms/<YOUR_REALM>/users/<USER_ID>
with the payload
{"attributes":{"<ATTRIBUTE_NAME>":["<ATTRIBUTE_VALUE>"]}}
the <USER_ID> you can get it using the endpoint:
GET <YOUR_KEYCLOAK_DOMAIN>/auth/admin/realms/<YOUR_REALM>/users/?username=<THE_USERNAME>
from the JSON response, extract the field id.
Step-by-Step:
You can get that information using the Keycloak Admin REST API; to call that API, you need an access token from a user with the proper permissions. For now, I will be using the admin user from the master realm:
curl https://${KEYCLOAK_HOST}/auth/realms/master/protocol/openid-connect/token \
-d "client_id=admin-cli" \
-d "username=$ADMIN_NAME" \
-d "password=$ADMIN_PASSWORD" \
-d "grant_type=password"
You will get a JSON response with the admin's token. Extract the value of property access_token from that response. Let us save it in the variable $ACCESS_TOKEN for later reference.
To get the user id from your realm $REALM_NAME:
curl -X GET https://${KEYCLOAK_HOST}/auth/admin/realms/${REALM_NAME}/users/?username=${USERNAME}&exact=true \
-H "Content-Type: application/json" \
-H "Authorization: bearer $ACCESS_TOKEN"
From the response extract the user id for example as follows
jq -r .[].id
Or even cleaner is to passed to the
To set the user attribute:
curl -X PUT https://${KEYCLOAK_HOST}/auth/admin/realms/${REALM_NAME}/users/${USER_ID} \
-H "Content-Type: application/json" \
-H "Authorization: bearer $ACCESS_TOKEN" \
-d '{"attributes":{"<ATTRIBUTE_NAME>":["<ATTRIBUTE_VALUE>"]}}'
You can also have a look at setUser script on my GitHub repo.
As admin of a Keycloak server, how can I obtain access-token of a particular user without knowing his password? Unfortunately impersonation doesn't help me because it does not contain neither his id nor his username.
There's a feature starting from keycloak 3.4.0 called token exchange wich allows you to exchange an access token from a user with impersonation permission to get other token on behalf of the other user. You can use the token endpoint this way:
curl -X POST \
-d "client_id=starting-client" \
-d "client_secret=geheim" \
--data-urlencode "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
-d "subject_token=...." \
--data-urlencode "requested_token_type=urn:ietf:params:oauth:token-type:access_token" \
-d "audience=target-client" \
-d "requested_subject=wburke" \
http://localhost:8080/auth/realms/myrealm/protocol/openid-connect/token
You might find this post useful too.
As a federated user, it must use an API key or one-time passcode to authenticate. I have tried to execute that the below curl request:-
Example :-
Input :-
curl -s -u 'bx:bx' -k -X POST --header 'Content-Type: application/x-www-form-urlencoded' --header 'Accept: application/json' -d "grant_type=password&response_type=cloud_iam,ims_portal&username=${1}&password=${2}&ims_account=${3}" https://iam.ng.bluemix.net/oidc/token
Output :-
"errorMessage":"You cannot authenticate with user name and password, as you are a federated user","errorDetails":"Your user id '<<><><>>' is federated and must use an API key or one-time passcode to authenticate"
But how we authenticate the user to generate the iam_token and iam_user_id?
Reference :-
https://softlayer.github.io/rest/IBMidtoSLKey/
The code snippet you reference from the SoftLayer guide has the result of setting the SoftLayer Username and API key:
echo "SL_USERNAME: $SL_USERNAME"
echo "SL_API_KEY: $SL_API_KEY"
This is a roundabout way to find the same information that is listed as API Username and Authentication Key seen in your User Profile. If you do not see an API username and Authentication Key, you can create one on the Actions menu next to your name in the User List.
You can then execute Infrastructure APIs, which I expect is the ultimate goal.
export IAAS_USERNAME=<API Username>
export IAAS_KEY=<Authentication Key>
curl -u $IAAS_USERNAME:$IAAS_KEY https://api.softlayer.com/rest/v3/SoftLayer_Account/getAllBillingItems
It's unclear if the discussion around IAM tokens is necessary. Please provide more guidance on what you're trying to achieve if the above suggestion is insufficient.