Hi I'm trying to use the Keycloak API but I don't understand very well how it works. I want to obtain all the users of a realm. So I first obtain a token using this endpoint: /realms/master/protocol/openid-connect/token with this params in the request body:
client_id
grant_type
username
password
client_secret
The first question is: What client should I use?
Then I call this endpoint: /admin/realms/master/users with the token in the Authorization header, but I get a 403 status code and I don't understand why.
Thanks
You need two steps
first get an access token from the admin-cli client of the master realm
second call the admin rest api with the access token, set Bearer as prefix in the
Authorization header.
# get an access token
curl -X POST \
https://<HOST>/auth/realms/master/protocol/openid-connect/token \
-H 'Accept: application/json' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'cache-control: no-cache' \
-d 'grant_type=password&username=<USERNAME>l&password=<PASSWORD>&client_id=admin-cli'
# get all users of gateway realm, use the token from above and use Bearer as prefix
curl -X GET \
https://<HOST>/auth/admin/realms/gateway/users \
-H 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkI...' \
-H 'cache-control: no-cache'
Generally: 403 = you don't have permissions to perform requested action (to view users in this particular case). You need to define Client Roles (realm-management) for used user/client and assign right role (view-users role in this case):
Keycloak 17+ UI:
Or Keycloak 17+ UI - client with Service Accounts Enabled enabled:
Keycloak 17- UI:
Related
We need to allow our Flutter application to save a property in the user_metadata when the application starts.
As I understand this is a task to be done with the Management API and in order for the Flutter application to be able to write in the user_metadata the client has to request a Management API access token.
I found no information on how to request this token, the closest thing is this page in the documentation that has no example and no explanation on how to retrieve this token:
https://auth0.com/docs/secure/tokens/access-tokens/get-management-api-tokens-for-single-page-applications
Can anyone provide an example on how to request this token from a Flutter app?
Even a generic CURL request would be helpful to understand what endpoint to call with which parameters.
Error received when trying to access the Management API to update the user_metadata:
body{
"statusCode":400,
"error":"Bad Request",
"message":"Bad HTTP authentication header format",
"errorCode":"Bearer"
}
2 steps are needed:
Get the authentication token for management API:
sample curl:
curl --location --request POST "https://YOUR_AUTH0_DOMAIN/oauth/token" \
--header "content-type: application/json" \
--data-raw "{
\"grant_type\": \"client_credentials\",
\"audience\": \"https://YOUR_AUTH0_DOMAIN/api/v2/\",
\"client_id\": \"YOUR_AUTH0_APPLICATION_CLIENT_ID\",
\"client_secret\": \"YOUR_AUTH0_APPLICATION_CLIENT_SECRET\"
}"
call the management api to update app_metadata
sample curl:
curl --request PATCH \
--url 'https://YOUR_AUTH0_DOMAIN/api/v2/users/USER_ID' \
--header 'authorization: Bearer TOKEN_FROM_STEP_1' \
--header 'content-type: application/json' \
--data '{"email": "whatever#example.com", "user_metadata": {"hobby": "surfing"}, "app_metadata": {"plan": "full"}}'
Edit: Patch request with userID
I am very new to keycloak and I want to know is it possible to create public client then authorize client and get access token. Then use that access token and create UMA tickets to resource server and check if client has rights to access resoucrces using same authorization
I uses this turtorial
https://gruchalski.com/posts/2020-09-05-introduction-to-keycloak-authorization-services/
And it worked if you reauthorized to resource server directly.
But I want to use one authorisation to check rights to resources which could belong to different resource servers
I get access token using this code:
export access_token=`curl --silent -u public-client:1 \
-k -d "grant_type=password&username=${USER_NAME}&password=${USER_PASSWORD}&scope=email profile" \
-H "Content-Type:application/x-www-form-urlencoded" \
${KEYCLOAK_TOKEN_URL} | jq '.access_token' -r`
Then I try to authorise same user to different client:
curl --silent -X POST \
${KEYCLOAK_TOKEN_URL} \
-H "Authorization: Bearer ${access_token}" \
--data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \
--data "audience=resource-server-1"
But I get "Client does not support permissions"
Maybe someone knows what I need to configure for this to work or even if this can work?
For what I've reading you need two clients. One public and the other confidential.
Then in your client configured as confidential set all your fine-grained authz then in your audience param you set the client id previously configured as confidential.
I am just studying the Thingsboard IoT platform features.
And we know that to retrieve JWT Token for a user, we should POST following API command,
curl -X POST --header "Content-Type: application/json" --header "Accept: application/json" -d "{"username":"xxxxx#gmail.com", "password":"xxxxxx"}" "https://thingsboard.cloud/api/auth/login"
The timeout for this JWT token is set to "9000" sec by default.
How can we modify this Token expiry time?
Your help would be appreciated.
Thank you.
This should be configured as part of security.jwt.tokenExpirationTime
https://thingsboard.io/docs/user-guide/install/config/
You should probably need to use the refresh token to keep your session logged in via /auth/token
To get roles in a custom client I know I need to do two APIs. One is to get an access token and one is to get the roles. My doubt is, should I get accessToken by sending admin-CLI details in headers or because I want roles of the custom client I have created? Because, im getting unknown_error when trying to fetch roles.
To get accessToken:
curl -X POST \
http://localhost:8080/auth/realms/test-keycloak-example/protocol/openid-connect/token \
-H 'cache-control: no-cache' \
-H 'content-type: application/x-www-form-urlencoded' \
-d 'grant_type=client_credentials&client_id=test-keycloak-example&client_secret=shhh'
To get roles:
curl -X GET \
http://localhost:8080/auth/admin/realms/test-keycloak-example/clients/cb11fd17-46df-419a-9c67-4a69d1be66ae/roles \
-H 'authorization: Bearer <token received from previous call> \
-H 'cache-control: no-cache' \
-H 'postman-token: 248fef6b-9c24-3aa3-91ae-a6f11e01e55c'
The response is:
{
"error": "unknown_error"
}
Using Postman and three conditions should support it.
#1 "test-user" needs a "view-clients" role. It comes from "realm-management" client.
#2 Using "admin-cli" client and Change Access Type with "confidential" and turn on "Authorization Enabled" is "ON"
#3 using "admin-cli"'s secret for Postman token call.
#4 get token with #3's secret and #1 user's credential(username and password)
the token "expires_in" is very short, you need to makes a longer by UI.
it is admin-cli's advanced settings(for just testing purpose)
#5 you needs to save a token for calling client/role API
it is same #4's API on Tests Tab of Postman.
#6 Call list client/role API with #5's token.
#7 find "custom-client" id from #6
#8 call custom role API using #7 id.
it should be match with UI's roles.
Good Luck!
I'm attempting to do a POST to a bucket via API. I have an API key, and I have a client-id and secret. What should be included in the header for authentication to my bucket for a simple post?
If you are trying to do a POST with the RESTful API you should add an "Authorization: Bearer [OAUTH2_TOKEN]". I recommend on following the Quickstart on Uploading Objects with Rest API which guides you on how to achieve this and searching the OAuth 2.0 playground to get the Token
Taken from the guide:
curl -X POST --data-binary #[OBJECT] \
-H "Authorization: Bearer [OAUTH2_TOKEN]" \
-H "Content-Type: [OBJECT_CONTENT_TYPE]" \
"https://www.googleapis.com/upload/storage/v1/b/[BUCKET_NAME]/o?uploadType=media&name=[OBJECT_NAME]"