To get roles in a custom client I know I need to do two APIs. One is to get an access token and one is to get the roles. My doubt is, should I get accessToken by sending admin-CLI details in headers or because I want roles of the custom client I have created? Because, im getting unknown_error when trying to fetch roles.
To get accessToken:
curl -X POST \
http://localhost:8080/auth/realms/test-keycloak-example/protocol/openid-connect/token \
-H 'cache-control: no-cache' \
-H 'content-type: application/x-www-form-urlencoded' \
-d 'grant_type=client_credentials&client_id=test-keycloak-example&client_secret=shhh'
To get roles:
curl -X GET \
http://localhost:8080/auth/admin/realms/test-keycloak-example/clients/cb11fd17-46df-419a-9c67-4a69d1be66ae/roles \
-H 'authorization: Bearer <token received from previous call> \
-H 'cache-control: no-cache' \
-H 'postman-token: 248fef6b-9c24-3aa3-91ae-a6f11e01e55c'
The response is:
{
"error": "unknown_error"
}
Using Postman and three conditions should support it.
#1 "test-user" needs a "view-clients" role. It comes from "realm-management" client.
#2 Using "admin-cli" client and Change Access Type with "confidential" and turn on "Authorization Enabled" is "ON"
#3 using "admin-cli"'s secret for Postman token call.
#4 get token with #3's secret and #1 user's credential(username and password)
the token "expires_in" is very short, you need to makes a longer by UI.
it is admin-cli's advanced settings(for just testing purpose)
#5 you needs to save a token for calling client/role API
it is same #4's API on Tests Tab of Postman.
#6 Call list client/role API with #5's token.
#7 find "custom-client" id from #6
#8 call custom role API using #7 id.
it should be match with UI's roles.
Good Luck!
Related
We need to allow our Flutter application to save a property in the user_metadata when the application starts.
As I understand this is a task to be done with the Management API and in order for the Flutter application to be able to write in the user_metadata the client has to request a Management API access token.
I found no information on how to request this token, the closest thing is this page in the documentation that has no example and no explanation on how to retrieve this token:
https://auth0.com/docs/secure/tokens/access-tokens/get-management-api-tokens-for-single-page-applications
Can anyone provide an example on how to request this token from a Flutter app?
Even a generic CURL request would be helpful to understand what endpoint to call with which parameters.
Error received when trying to access the Management API to update the user_metadata:
body{
"statusCode":400,
"error":"Bad Request",
"message":"Bad HTTP authentication header format",
"errorCode":"Bearer"
}
2 steps are needed:
Get the authentication token for management API:
sample curl:
curl --location --request POST "https://YOUR_AUTH0_DOMAIN/oauth/token" \
--header "content-type: application/json" \
--data-raw "{
\"grant_type\": \"client_credentials\",
\"audience\": \"https://YOUR_AUTH0_DOMAIN/api/v2/\",
\"client_id\": \"YOUR_AUTH0_APPLICATION_CLIENT_ID\",
\"client_secret\": \"YOUR_AUTH0_APPLICATION_CLIENT_SECRET\"
}"
call the management api to update app_metadata
sample curl:
curl --request PATCH \
--url 'https://YOUR_AUTH0_DOMAIN/api/v2/users/USER_ID' \
--header 'authorization: Bearer TOKEN_FROM_STEP_1' \
--header 'content-type: application/json' \
--data '{"email": "whatever#example.com", "user_metadata": {"hobby": "surfing"}, "app_metadata": {"plan": "full"}}'
Edit: Patch request with userID
I am very new to keycloak and I want to know is it possible to create public client then authorize client and get access token. Then use that access token and create UMA tickets to resource server and check if client has rights to access resoucrces using same authorization
I uses this turtorial
https://gruchalski.com/posts/2020-09-05-introduction-to-keycloak-authorization-services/
And it worked if you reauthorized to resource server directly.
But I want to use one authorisation to check rights to resources which could belong to different resource servers
I get access token using this code:
export access_token=`curl --silent -u public-client:1 \
-k -d "grant_type=password&username=${USER_NAME}&password=${USER_PASSWORD}&scope=email profile" \
-H "Content-Type:application/x-www-form-urlencoded" \
${KEYCLOAK_TOKEN_URL} | jq '.access_token' -r`
Then I try to authorise same user to different client:
curl --silent -X POST \
${KEYCLOAK_TOKEN_URL} \
-H "Authorization: Bearer ${access_token}" \
--data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \
--data "audience=resource-server-1"
But I get "Client does not support permissions"
Maybe someone knows what I need to configure for this to work or even if this can work?
For what I've reading you need two clients. One public and the other confidential.
Then in your client configured as confidential set all your fine-grained authz then in your audience param you set the client id previously configured as confidential.
I am just studying the Thingsboard IoT platform features.
And we know that to retrieve JWT Token for a user, we should POST following API command,
curl -X POST --header "Content-Type: application/json" --header "Accept: application/json" -d "{"username":"xxxxx#gmail.com", "password":"xxxxxx"}" "https://thingsboard.cloud/api/auth/login"
The timeout for this JWT token is set to "9000" sec by default.
How can we modify this Token expiry time?
Your help would be appreciated.
Thank you.
This should be configured as part of security.jwt.tokenExpirationTime
https://thingsboard.io/docs/user-guide/install/config/
You should probably need to use the refresh token to keep your session logged in via /auth/token
Hi I'm trying to use the Keycloak API but I don't understand very well how it works. I want to obtain all the users of a realm. So I first obtain a token using this endpoint: /realms/master/protocol/openid-connect/token with this params in the request body:
client_id
grant_type
username
password
client_secret
The first question is: What client should I use?
Then I call this endpoint: /admin/realms/master/users with the token in the Authorization header, but I get a 403 status code and I don't understand why.
Thanks
You need two steps
first get an access token from the admin-cli client of the master realm
second call the admin rest api with the access token, set Bearer as prefix in the
Authorization header.
# get an access token
curl -X POST \
https://<HOST>/auth/realms/master/protocol/openid-connect/token \
-H 'Accept: application/json' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'cache-control: no-cache' \
-d 'grant_type=password&username=<USERNAME>l&password=<PASSWORD>&client_id=admin-cli'
# get all users of gateway realm, use the token from above and use Bearer as prefix
curl -X GET \
https://<HOST>/auth/admin/realms/gateway/users \
-H 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkI...' \
-H 'cache-control: no-cache'
Generally: 403 = you don't have permissions to perform requested action (to view users in this particular case). You need to define Client Roles (realm-management) for used user/client and assign right role (view-users role in this case):
Keycloak 17+ UI:
Or Keycloak 17+ UI - client with Service Accounts Enabled enabled:
Keycloak 17- UI:
I'm getting an "invalid_payment" error only when ordering rides via the api. I thought it may have been an account issue so checked my app but I was able to login and order manually on my phone without any problems.
Here is my request and response. Is there anything else you need?
Request:
curl -X POST \
https://api.uber.com/v1/requests \
-H 'authorization: Bearer TOKEN' \
-H 'cache-control: no-cache' \
-H 'content-type: application/json' \
-H 'postman-token: c2e706c0-5bde-c324-1326-8bfc43a37079' \
-d '{
"start_latitude": "43.854816",
"start_longitude": "-79.4368132",
"start_address": "9350 Yonge Street, Richmond Hill, ON L4C 5G2",
"product_id": "d1e548ac-4be5-46c0-8c86-201ac8a36fc6",
"end_latitude":"43.8656588",
"end_longitude":"-79.4411572",
"end_address": "11 Bingham Street, Richmond Hill, ON L4C 8Y6"
}'
Response:
{"meta":{},"errors":[{"status":400,"code":"invalid_payment","title":"The rider's payment method is invalid and they must update their billing info."}]}
Edit: When ordered via the API the request does not come up like it usually does when you have the app on your phone open. Additionally, the API is letting me order rides normally for some addresses, just not all (mainly Canadian) addresses.
Edit 2: I tried refreshing the token thinking it may have been a caching issue but no luck.
Edit 3: This appears to really only be happening for addresses in Canada. API can order rides successfully without invalid_payment error in the U.S.