How to add custom attributes in Keycloak via REST API?
I guess you mean adding user attributes to the admin console by extending the theme - https://www.keycloak.org/docs/3.1/server_development/topics/custom-attributes.html Since that configures the admin console itself it does involve some configuration of files loaded by the keycloak app for a custom theme so I don't think the REST API alone will be enough.
As #Xtreme Biker points out, anything you can do via clicks in the admin console you can do via the REST API as the console uses that API. You can perform the relevant actions in the admin console and check the network tab in the browser console to see what the REST calls are (note you may need to tell your browser not to clear the log between page loads). So if you can do it just with clicks in the browser then the REST API is enough. If you also need to modify configuration files then you'll need to do that part outside of the REST API.
Here is an example
curl --location --request POST 'http://yourKeyclaokSSO.com/auth/admin/realms/YOUR-REALM/users' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <INSERT TOKEN HERE>' \
--data-raw '{"firstName":"James","lastName":"West", "email":"jw#test.com", "username":"james.west", "attributes": {"SomeId":"123"}}'
More documentation:
https://www.keycloak.org/docs-api/11.0/rest-api/index.html#_userrepresentation
Related
I am new to Cloud and I've been practising it for a while. I have a use case.
I want to retrieve the metadata of images in the bucket through a suitable REST API. I searched in API explorer and found Cloud Resource Manager API that could help retrieve the metadata but after exploring it I couldn't figure out the link.
API Required Fields
Can someone help me to understand what to put in the parent field?
You are using the wrong REST API.
The REST API endpoint is:
https://storage.googleapis.com/storage/v1/b/BUCKET_NAME/o/OBJECT_NAME
To view metadata, here is an example using the REST API in curl:
gcloud auth application-default login
BUCKET=BUCKET_NAME
OBJECT=OBJECT_NAME
URL=https://storage.googleapis.com/storage/v1/b/$BUCKET/o/$OBJECT
TOKEN=$(gcloud auth application-default print-access-token)
curl -v -X GET -H "Authorization: Bearer $TOKEN" $URL
I have a web application secured by Keycloak. Now I want to read all the security groups and users from keycloak in my application. Is it possible?
Keycloak has a very good documentation around the APIs.
I believe you are looking to get all the groups and users from the Keycloak. It could be as straightforward as calling any REST APIs.
You can follow this link to get all the groups from the Keycloak.
And this link to get the users based on the given search criteria.
But I would be wary of the performance implication it might have calling these APIs. Make sure to use pagination and appropriate filters for getting users.
Also, if you want, you can write a custom extension in Keycloak to serve your purpose. You can follow this link for it.
I could get the access token using the client secret key using the curl command from command line.
$curl -X POST -d "client_id=my_client" -d "username=username" -d "client_secret=c957b0ba-c421-4021-8433-764aa2fwes72" -d "grant_type=client_credentials" HOST/auth/realms/my_realm/protocol/openid-connect/token
I could also get the list of users after getting the access token
$curl -X GET HOST/auth/admin/realms/my_realm/users -H "Authorization: Bearer access-token" -H 'cache-control: no-cache'
Now, I'm thinking how can I do this from my web application.
I've been trying to use the Keycloak Impersonation API (semi-recent addition) to get an access token for another user. I have created a semi-successful CURL request based on the docs and another StackOverflow question. The CURL request (below) returns a 501 Not Implemented and I am trying to figure this out. If it would be another error I would assume I am doing something incorrectly, but this appears to be at least partially correct.
curl --verbose -X POST "http://localhost:8081/auth/realms/master/protocol/openid-connect/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
--data-urlencode "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
-d "client_id=admin-cli" \
-d "requested_subject={TARGET_USER_ID}" \
-d "subject_token={USER_MANAGER_TOKEN}"
My workflow so far has been to get the Keycloak master realm "admin" user's access token (successful) and use that in the impersonation request, along with the target user's Keycloak ID. Am I doing something wrong or missing a step?
I haven't changed any Keycloak permissions, is this required?
From my understanding and the documentation, impersonation is currently supported and enabled by default in Keycloak v5 - Sever Installation. However, another article (Keycloak v5 - Token Exchange) seems to indicate that the feature is disabled by default; could this be why I am getting the 501 Not Implemented?
EDIT: #qdivision mentioned that the Token Exchange needs to be enabled for this to work. However, we are using the jboss/keycloak Docker image and I am wondering where I should add the profile.properties file to enable this feature?
Impersonation is enabled by default, Token Exchange is not.
To enable start the server with -Dkeycloak.profile=preview or -Dkeycloak.profile.feature.token_exchange=enabled as mentioned in the docs
https://www.keycloak.org/docs/latest/securing_apps/index.html#_token-exchange
Context: We are using Keycloak to secure our APIs by usually passing tokens through Authorization Headers. However, these APIs also allow users to download files (for instance: https://api.service.io/users.xlsx).
To use these "download endpoints", our web client applications pass users' token via query strings. (e.g. https://api.service.io/users.xlsx?accessToken=${bearerToken})).
Problem: Passing tokens via query string has several security flaws (browser history, ...). Therefore we would like to pass a very short-lived token (e.g. lifespan of 15sec) instead of the normal one (lifespan of 300sec by default).
Question: How could we request a different token from Keycloak API (for instance, /realms/#{realm_id}/protocol/openid-connect/token) by:
providing the normal access token (not credentials);
and specifying a different lifespan ?
After reading Keycloak's source code, it appears this is not possible (version 3.4.2.Final) to ask for a specific lifespan at runtime.
However, I developed a Keycloak Custom REST endpoint to do that. https://github.com/looorent/keycloak-configurable-token-api
When this JAR file is deployed in Keycloak, you can ask for a given lifespan at runtime. For example:
$ curl -X POST -d '{ "tokenLifespanInSeconds": 20}' -H "Content-Type: application/json" -H "Authorization: Bearer <user-access-token>" http://auth.service.io/auth/realms/a-realm/configurable-token
I would like to allow anyone to trigger a job I've created in Rundeck.
I can't understand from the API documentation how to do that.
Any one knows, and can give simple examples (my understanding of the subject is minimal to none)?
What I've found is of the sort:
POST /api/1/job/[ID]/run
In order to use the Rundeck API, you need to authenticate first.
Authentication can be done in two different ways:
Using a Token
Using a username and a password
Here is an example of running a Rundeck job using its API (Token based authentication)
curl -X POST http://rundeck_server:port/api/19/job/87bdc26ce-9893-49bd-ad7a-97f4c4a39196/run?authtoken=AVy8jZdcpTYOyPcOVbfcfOQmB6b92zRu --header "Content-Type:text/xml"
Explanation:
19: the API version or Rundeck installation version (19 matchs
Rundeck 2.8.2)
87bdc26ce-9893-49bd-ad7a-97f4c4a39196: Job UUID
run: Runs a job
PS: To obtain an API Token, you must first log in to the Rundeck GUI using a user account. Click on your username in the header of the page, and you will be shown your User Profile page. From this page you can manage your API Tokens.
To update the answer above, this is an example of running a job and feeding it arguments
You will need to replace hostname/API version/job UID/token
Also the current version can be used with JSON only
curl -X POST https://rundeck-hostname.com/api/41/job/7087d3b7-e454-4983-abd5-a211d21d6f27/run?authtoken=[redacted] -H "Accept: application/json" -H "Content-Type: application/json" -d '{
"options": {
"optionName":"optionValue",
}
}
'
And if you need additional arguments for running a job you can find the updated documentation at https://docs.rundeck.com/docs/api/rundeck-api.html#running-a-job