I'd like to use keycloak CLI ( kcadm.sh ) to generate a set of clients which have some attributes (taken from the Web Interface) such as:
Access type=confidential
Direct Access Grant Enabled=On
Is there a reference for all attributes that can be passed to the Admin CLI? In the examples I can only see some
basic attributes.
Thanks
It is easiest to set attributes by using the -s in your command. Like this
kcadm.sh create clients -r oidcrealm -s "clientId=testClient" -s "directAccessGrantsEnabled=true" -s "publicClient=false"
As for reference, the REST API docs a mentioned in the previous answere is good, but another tip is to set you desiered configuration in the keycloak GUI the export the configuration like this.
kcadm.sh get clients -r oidcrealm
All attributes will then be listed with the current values.
kcadm.sh also accepts JSON as input so if you have alot of attributes it is probably easier to run like this and gives a better overview later
kcadm.sh create clients -r oidcrealm -f - << EOF
{
"clientId" : "oidc-client",
"redirectUris": ["http://react:3000"],
"standardFlowEnabled": true,
"publicClient": true,
"attributes": {
"pkce.code.challenge.method":"S256"
}
}
EOF
You can use REST API docs as reference.
Note that:
The Admin CLI works by making HTTP requests to Admin REST endpoints.
Access to them is protected and requires authentication.
Consult the Admin REST API documentation for details about JSON
attributes for specific endpoints.
Related
i create a DB2 service in IBM cloud and i read that i can access at my db via REST.
so, i try to connect using this:
curl -k -X POST 'https://MY_DB_URL/dbapi/v4/auth/tokens'
-d '{"userid":"MY_SERVICE_USER", "password":"MY_SERVICE_PASSWORD"}'
and the response is always:
{"trace":"TRACE_CODE","errors":
[{
"code":"invalid_parameters",
"message":"HWCSEC0012E: The credential is invalid! For regular credentials, both the user name and password are required. For IAM API key or token credentials, they mustn't be empty.",
"target":{"type":"","name":""},
"more_info":""
}]
}
i really don't know how to solve that.
docs:
https://cloud.ibm.com/apidocs/db2-on-cloud#request-a-new-access-token
https://developer.ibm.com/static/site-id/85/api/db2whc/
i solve. they want in header
{Content-Type: text/plain}
it's not make sense, the body is a json...
I am trying to write a custom Concourse resource (in Python) that accesses the Concourse instance's REST API for information. I'm stuck at obtaining the bearer token at login. The issue is that when I follow the gist of this shell script
#!/bin/bash
## Variables required #need to update these to take inputs for getting token per team and target.
CONCOURSE_URL="http://localhost:8080"
CONCOURSE_USER="test"
CONCOURSE_PASSWORD="test"
CONCOURSE_TEAM="test"
CONCOURSE_TARGET="my-concourse"
function get_token() {
## Create a file named token that will be used to read and write tokens
touch token
## extract the LDAP authentication url and write to token file
LOCAL_AUTH_URL=$CONCOURSE_URL$(curl -b token -c token -L "$CONCOURSE_URL/sky/login" -s | grep "/sky/issuer/auth/local" | awk -F'"' '{print $4}')
echo "url is $LOCAL_AUTH_URL"
# login using username and password while writing to the token file
curl -s -o /dev/null -b token -c token -L --data-urlencode "login=$CONCOURSE_USER" --data-urlencode "password=$CONCOURSE_PASSWORD" "$LOCAL_AUTH_URL"
ATC_BEARER_TOKEN=`grep 'Bearer' token | cut -d\ -f2 | sed 's/"$//'`
echo $ATC_BEARER_TOKEN
}
there are many redirects involved, and at least some of them refer to the concourse instance as being at http://localhost:8080, which does not work from inside the docker container of the resource.
So I wanted to parametrize the external base url and explicitly give it in resource config. Manually handling the redirects and rewriting the local IP into the URL fails at the last "approval" step with a code 400, probably because it looks like some kind of a cross-domain attack.
The environment variable ATC_EXTERNAL_URL is always localhost:8080 and I suspect that this is also used when forming out the redirect urls. Can this be set somewhere?
I'm bad at golang, but it seems to me that https://github.com/concourse/concourse-pipeline-resource calls the fly binary to achieve some kind of login from inside a resource. Can't say I can get what it does and how.
All help appreciated...
The env var $ATC_EXTERNAL_URL most likely corresponds to the external url specified when you start Concourse, so yes, it can (and if you're using external auth like Github or OAuth, must) be changed. You're correct in assuming that it's used to construct callback URLs.
Also, I don't want to be That Guy(TM), but the Concourse REST API is not public and is subject to change at any time. What are you trying to do that you can't get from the fly CLI? Your resource could call the ATC_EXTERNAL_URL to get the fly CLI when it's needed then execute commands that way.
We are trying to ask get questions to the sharepoint api for example
https://domain.sharepoint.com/_api/web/lists/GetByTitle'('List')'/Items
We have been trying to access our sites API via REST API. We have tried many different ways and looked trough a lot of Microsoft Documentation but it seems we have misunderstood something in regards to how to authenticate us because we get
Access denied. You do not have permission to perform this action or access this resource
We use Office365 and Sharepoint Online. Can I not use username password somehow or do I have to design a flow for authentication using the token request etc? Can I in that case try it with curl somehow?
We have tried to use curl to simulate it:
curl https://domain.sharepoint.com/_api/web/lists/GetByTitle'('List')'/Items -v --ntlm --negotiate -u username:password
i'm having trouble finding how I can add a trusted host using kcadm cli tool. This is in realm->realm settings->client registration->client registration policies->trusted hosts
it's part of components.
kcadm get components -r demorealm -F "name,id,config(*)" -q name="Trusted Hosts"
I found that if you export the database, it will produce a json file and you will find all the information that you need there.
I am trying to use CloudFOundry REST calls to create app, bind service etc instead of using vmc or eclipse plugin. I know we can use vcap-java-client for this but I also wanted to test calling the REST services directly such as by using cUrl utility. Where do I find the REST urls and json structs corresponding to each vmc command ?
The best way for you to see the actual rest calls to the Cloud Controller is executing the vmc commands and add the -t. So for example:
vmc apps -t
So this vmc command will show you a list of your apps and so what you get out of the additional -t is a more verbose information which shows the Cloud Controller service you are calling. In this case it would be /apps
The same command on the bottom will give you the exact output you would get from the above vmc command:
curl -H "Authorization: <Your-Oauth-token>" https://api.cloudfoundry.com/apps
The Authorization token can also be found in the -t generated output. you need to copy the entire Authorization "bearer"
Sudipta,
When you login and run vmc apps -t, you should see the following output:
Getting applications. >>>
REQUEST: GET /apps
REQUEST_HEADERS:
accept : application/json
user-agent : Ruby
authorization : bearer <token>
content-length : 0
The authorization in REQUEST_HEADERS is what you would need to use.