In the examples I've found for the Keycloak Admin Client, a method called "setEnabled" in the UserRepresentation class is mentioned to enable/disable the user.
Unfortunately, this method seemed to be removed in the latest versions, as the method is also not listed in the JavaDocs anymore.
So, my question is: how can I enable/disable a user in the newest versions of the Keycloak Admin Client (3.4.3.Final)?
Thanks and best regards, Chris
It is clearly possible to do using the API:
curl -v -X PUT -H "Content-Type: application/json" -H "Authorization: Bearer $token" --data "{\"enabled\": false}" "http://localhost:8080/auth/admin/realms/[my-realm]/users/[user-id]"
Works on Keycloak-admin-client version 4.8.3.Final
// connect to keycloak server
Keycloak keycloak = KeycloakBuilder.builder()
.serverUrl(AUTHURL)
.realm(REALM)
.grantType(OAuth2Constants.PASSWORD) // "password"
.clientId(CLIENTID)
.clientSecret(SECRETKEY)
.username(ADMIN_USERNAME)
.password(ADMIN_PASSWORD)
.build();
// get user resource
RealmResource realmResource = keycloak.realm(REALM);
UsersResource userRessource = realmResource.users();
// fetch an existing user
UserRepresentation user = userRessource.get(userId).toRepresentation();
// change user
user.setEnabled(true);
// update
userRessource.get(userId).update(user);
Found the solution: The issue was that different Java packages with a UserRepresentation class exist and I imported the wrong one. The right one is
org.keycloak.representations.idm.UserRepresentation and this also includes a function setEnabled().
Thanks a lot for comments!
Related
I have to create two rest services via keycloak.
The first one sends a verification code to a phone number. The second one grant a token to a user if the verification code is correct for a given phone number.
I have created a module with a custom SPI following the guide in https://github.com/FX-HAO/keycloak-phone-authenticator. The provider can be found. I have also created the Direct grant flow copy and made it the default direct grant flow for the realm.
I can send the verification code with a request to http://{host}//auth/realms/{my_realm}/{my_provider}/send_sms
However, I cannot get the token using the following request:
curl -X POST http://{host}/auth/realms/{my realm}/protocol/openid-connect/token
-H 'authorization: Basic {my keycloak admin username and password}'
-H 'content-type: application/x-www-form-urlencoded' -d 'grant_type=password&phone_number={phone number}&code={code}'
I keep getting the invalid_client_credentials error and it seems that my provider is not called because there is nothing in its logs.
What am I doing wrong?
As #sventorben said, the problem was in specifying wrong credentials for the client
I am trying to get the REST API of keycloak to work.
Thanks to this post I was able to get the token. But when trying the example for the list of users in the first answer, I get the error:
"error": "RESTEASY003210: Could not find resource for full path: http://PATHTOCEAKLOAK:81/auth/user/realms/master/users"
Here my request with Postman:
As I am using a Bitnami-container the admin is called user that's why I am using /auth/user/ instead of /auth/admin/
For those who are still facing this error and using 17.0+ version of Keycloak, there's a change in endpoints as per the official documentation. I resolved this issue by just using {realm}/user and omitting /auth in between.
In addition to #Akanksha_p's answer, here is a command to get the token using curl:
curl -k -H "Content-Type: application/x-www-form-urlencoded" -d "client_id=your-client" -d "username=some-user" -d "password=hardpassword" -d "grant_type=password" -X POST https://your.fqdn.server:8443/realms/yourrealm/protocol/openid-connect/token
I was actually working on the same and using docker image of bitnami/keycloak:latest
it worked with just removing /auth from base path and keeping it as /admin
something like this (GET http://localhost:8085/admin/realms/test-realm/users)
enter image description here
If you want to know wich url are available on your current realm you can go in Realm -> Settings and click on "Ednpoints" link.
Or directly go to the following url : http://{host}:{port}/realms/{your_realm}/.well-known/openid-configuration.
#Kostanos - I will try to get the /auth/ Path back with a reverseproxy in front of the keycloak. Like nginx and make a rewrite
I have a web application secured by Keycloak. Now I want to read all the security groups and users from keycloak in my application. Is it possible?
Keycloak has a very good documentation around the APIs.
I believe you are looking to get all the groups and users from the Keycloak. It could be as straightforward as calling any REST APIs.
You can follow this link to get all the groups from the Keycloak.
And this link to get the users based on the given search criteria.
But I would be wary of the performance implication it might have calling these APIs. Make sure to use pagination and appropriate filters for getting users.
Also, if you want, you can write a custom extension in Keycloak to serve your purpose. You can follow this link for it.
I could get the access token using the client secret key using the curl command from command line.
$curl -X POST -d "client_id=my_client" -d "username=username" -d "client_secret=c957b0ba-c421-4021-8433-764aa2fwes72" -d "grant_type=client_credentials" HOST/auth/realms/my_realm/protocol/openid-connect/token
I could also get the list of users after getting the access token
$curl -X GET HOST/auth/admin/realms/my_realm/users -H "Authorization: Bearer access-token" -H 'cache-control: no-cache'
Now, I'm thinking how can I do this from my web application.
I've been trying to use the Keycloak Impersonation API (semi-recent addition) to get an access token for another user. I have created a semi-successful CURL request based on the docs and another StackOverflow question. The CURL request (below) returns a 501 Not Implemented and I am trying to figure this out. If it would be another error I would assume I am doing something incorrectly, but this appears to be at least partially correct.
curl --verbose -X POST "http://localhost:8081/auth/realms/master/protocol/openid-connect/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
--data-urlencode "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
-d "client_id=admin-cli" \
-d "requested_subject={TARGET_USER_ID}" \
-d "subject_token={USER_MANAGER_TOKEN}"
My workflow so far has been to get the Keycloak master realm "admin" user's access token (successful) and use that in the impersonation request, along with the target user's Keycloak ID. Am I doing something wrong or missing a step?
I haven't changed any Keycloak permissions, is this required?
From my understanding and the documentation, impersonation is currently supported and enabled by default in Keycloak v5 - Sever Installation. However, another article (Keycloak v5 - Token Exchange) seems to indicate that the feature is disabled by default; could this be why I am getting the 501 Not Implemented?
EDIT: #qdivision mentioned that the Token Exchange needs to be enabled for this to work. However, we are using the jboss/keycloak Docker image and I am wondering where I should add the profile.properties file to enable this feature?
Impersonation is enabled by default, Token Exchange is not.
To enable start the server with -Dkeycloak.profile=preview or -Dkeycloak.profile.feature.token_exchange=enabled as mentioned in the docs
https://www.keycloak.org/docs/latest/securing_apps/index.html#_token-exchange
I would like to allow anyone to trigger a job I've created in Rundeck.
I can't understand from the API documentation how to do that.
Any one knows, and can give simple examples (my understanding of the subject is minimal to none)?
What I've found is of the sort:
POST /api/1/job/[ID]/run
In order to use the Rundeck API, you need to authenticate first.
Authentication can be done in two different ways:
Using a Token
Using a username and a password
Here is an example of running a Rundeck job using its API (Token based authentication)
curl -X POST http://rundeck_server:port/api/19/job/87bdc26ce-9893-49bd-ad7a-97f4c4a39196/run?authtoken=AVy8jZdcpTYOyPcOVbfcfOQmB6b92zRu --header "Content-Type:text/xml"
Explanation:
19: the API version or Rundeck installation version (19 matchs
Rundeck 2.8.2)
87bdc26ce-9893-49bd-ad7a-97f4c4a39196: Job UUID
run: Runs a job
PS: To obtain an API Token, you must first log in to the Rundeck GUI using a user account. Click on your username in the header of the page, and you will be shown your User Profile page. From this page you can manage your API Tokens.
To update the answer above, this is an example of running a job and feeding it arguments
You will need to replace hostname/API version/job UID/token
Also the current version can be used with JSON only
curl -X POST https://rundeck-hostname.com/api/41/job/7087d3b7-e454-4983-abd5-a211d21d6f27/run?authtoken=[redacted] -H "Accept: application/json" -H "Content-Type: application/json" -d '{
"options": {
"optionName":"optionValue",
}
}
'
And if you need additional arguments for running a job you can find the updated documentation at https://docs.rundeck.com/docs/api/rundeck-api.html#running-a-job