[keycloak-dev] Admin REST - User Roles

Fri Oct 2 02:31:03 EDT 2015

Looks like there's a difference if you return a specific user or search for
users. Returning a user doesn't include null values, while search does.
Created https://issues.jboss.org/browse/KEYCLOAK-1896

On 1 October 2015 at 16:55, Remi Cartier <remi.cartier at imetrik.com> wrote:

> Stian,
>
> that’s actually what I am receiving over the wire. Here is the full log of
> the communication :
>
> 16:18:58.472 [main] DEBUG org.apache.http.headers - >> GET
> /auth/admin/realms/imetrik/users?first=0&max=2147483647 HTTP/1.1
> 16:18:58.472 [main] DEBUG org.apache.http.headers - >> Accept:
> application/json
> 16:18:58.472 [main] DEBUG org.apache.http.headers - >> Accept-Encoding:
> gzip, deflate
> 16:18:58.472 [main] DEBUG org.apache.http.headers - >> Authorization:
> Bearer
> eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJhZjk4OTY2OS03YmIwLTRkYjgtOTNiNC0xYWI5NmU1MzgyY2UiLCJleHAiOjE0NDM1NTgyMTEsIm5iZiI6MCwiaWF0IjoxNDQzNTU3OTExLCJpc3MiOiJodHRwOi8vbTRpYi1pZG06ODA4MC9hdXRoL3JlYWxtcy9pbWV0cmlrIiwiYXVkIjoidWJpX2RyaXZlciIsInN1YiI6IjA1NTY3MTdlLWZmYjktNGMyZC1iODViLTUzM2Q5Mzk2ZjI0MyIsImF6cCI6InViaV9kcml2ZXIiLCJzZXNzaW9uX3N0YXRlIjoiMDQyNTdlY2EtMDAxMi00ZDU5LWFjMWItNWQ0NzI1MTFiMTc2IiwiY2xpZW50X3Nlc3Npb24iOiI5OGVkZjRkMC00MTk5LTRjODctYjY0OC1jYzhiYzI3MDhkMmUiLCJhbGxvd2VkLW9yaWdpbnMiOltdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsicmVhbG0tcm9sZSJdfSwicmVzb3VyY2VfYWNjZXNzIjp7InViaV9kcml2ZXIiOnsicm9sZXMiOlsibWlsZWFnZSJdfSwicmVhbG0tbWFuYWdlbWVudCI6eyJyb2xlcyI6WyJ2aWV3LXJlYWxtIiwidmlldy1pZGVudGl0eS1wcm92aWRlcnMiLCJtYW5hZ2UtZXZlbnRzIiwibWFuYWdlLXJlYWxtIiwibWFuYWdlLWlkZW50aXR5LXByb3ZpZGVycyIsImltcGVyc29uYXRpb24iLCJyZWFsbS1hZG1pbiIsInZpZXctZXZlbnRzIiwibWFuYWdlLXVzZXJzIiwidmlldy11c2VycyIsInZpZXctY2xpZW50cyIsIm1hbmFnZS1jbGllbnRzIl19LCJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50Iiwidmlldy1wcm9maWxlIl19fSwibmFtZSI6ImZpcnN0IG5hbWUgbGFzdCBuYW1lIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWRtaW4iLCJnaXZlbl9uYW1lIjoiZmlyc3QgbmFtZSIsImZhbWlseV9uYW1lIjoibGFzdCBuYW1lIn0.Px7tQJ8TV7ba9urpdNUq-HXul01CebvwSe6mpusMzLmIBJUdlzIJnzXyiuz4_AD9vwdYc5KCMHQ8LbucDs5ZrDYx5JQVJEIAQq6_q7d8hsE2gwp0SPejHvtJgki-hDRiuVlp-8lYGLQ6oJ_ipc6GBeVoaxQU8mmBEailh_rxpRwlXSNkef-r_ixzVwY3EQ5K55V2ivYFLmgEbi4mp7dU1FlzsAlvUOuJzbhVo-pyi0iQBjsvca8IJSIKQetCFxvTNXPIQUk5-bBI96_MOFYyoTenCs2m2ygEBDWB8GabrszAPLGEHEEJ2IgXIEK1kditZ7rXNm-ZgcVGYiBbzhVprQ
> 16:18:58.472 [main] DEBUG org.apache.http.headers - >> Host: m4ib-idm:8080
> 16:18:58.472 [main] DEBUG org.apache.http.headers - >> Connection:
> Keep-Alive
> 16:18:58.478 [main] DEBUG org.apache.http.wire -  << "HTTP/1.1 200
> OK[\r][\n]"
> 16:18:58.479 [main] DEBUG org.apache.http.wire -  << "Connection:
> keep-alive[\r][\n]"
> 16:18:58.479 [main] DEBUG org.apache.http.wire -  << "Cache-Control:
> no-cache[\r][\n]"
> 16:18:58.479 [main] DEBUG org.apache.http.wire -  << "X-Powered-By:
> Undertow/1[\r][\n]"
> 16:18:58.479 [main] DEBUG org.apache.http.wire -  << "Server:
> WildFly/9[\r][\n]"
> 16:18:58.479 [main] DEBUG org.apache.http.wire -  << "Transfer-Encoding:
> chunked[\r][\n]"
> 16:18:58.479 [main] DEBUG org.apache.http.wire -  << "Content-Type:
> application/json[\r][\n]"
> 16:18:58.479 [main] DEBUG org.apache.http.wire -  << "Date: Tue, 29 Sep
> 2015 20:18:31 GMT[\r][\n]"
> 16:18:58.479 [main] DEBUG org.apache.http.wire -  << "[\r][\n]"
> 16:18:58.479 [main] DEBUG o.a.h.i.conn.DefaultClientConnection - Receiving
> response: HTTP/1.1 200 OK
> 16:18:58.479 [main] DEBUG org.apache.http.headers - << HTTP/1.1 200 OK
> 16:18:58.479 [main] DEBUG org.apache.http.headers - << Connection:
> keep-alive
> 16:18:58.479 [main] DEBUG org.apache.http.headers - << Cache-Control:
> no-cache
> 16:18:58.479 [main] DEBUG org.apache.http.headers - << X-Powered-By:
> Undertow/1
> 16:18:58.479 [main] DEBUG org.apache.http.headers - << Server: WildFly/9
> 16:18:58.479 [main] DEBUG org.apache.http.headers - << Transfer-Encoding:
> chunked
> 16:18:58.479 [main] DEBUG org.apache.http.headers - << Content-Type:
> application/json
> 16:18:58.479 [main] DEBUG org.apache.http.headers - << Date: Tue, 29 Sep
> 2015 20:18:31 GMT
> 16:18:58.479 [main] DEBUG o.a.h.impl.client.DefaultHttpClient - Connection
> can be kept alive indefinitely
> 16:18:58.480 [main] DEBUG org.apache.http.wire -  << "01db[\r][\n]"
> 16:18:58.480 [main] DEBUG org.apache.http.wire -  <<
> "[{"self":null,"id":"0556717e-ffb9-4c2d-b85b-533d9396f243","createdTimestamp":1443542144845,"username":"admin","enabled":true,"totp":false,"emailVerified":true,"firstName":"first
> name","lastName":"last
> name","email":null,"federationLink":null,"serviceAccountClientId":null,"attributes":{"key1":["value1"]},"credentials":null,"requiredActions":[],"federatedIdentities":null,
> "realmRoles":null,"clientRoles":null,"clientConsents":null,
> "applicationRoles":null,"socialLinks":null}]"
> 16:18:58.552 [main] DEBUG org.apache.http.wire -  << "[\r][\n]"
> 16:18:58.552 [main] DEBUG org.apache.http.wire -  << "0[\r][\n]"
> 16:18:58.552 [main] DEBUG org.apache.http.wire -  << "[\r][\n]"
> 16:18:58.552 [main] DEBUG o.a.h.i.c.BasicClientConnectionManager -
> Releasing connection
> org.apache.http.impl.conn.ManagedClientConnectionImpl at 483f6d77
> 16:18:58.552 [main] DEBUG o.a.h.i.c.BasicClientConnectionManager -
> Connection can be kept alive indefinitely
>
> Regards.
>
> ------------------------------
>
>
> REMI CARTIER
> B.O.S.S. (Business & Operation Support Systems) P.O (Product Owner)
>
> *IMETRIK GLOBAL INC.*
> *T :* +1 514 448-6407 x2009
> *T :* +1 866 276-5382 (toll free)
> *F :* +1 514 904-0611
>
> 740 Notre Dame St. West, Suite 1575
> Montreal, Quebec, Canada H3C 3X6
> imetrik.com <http://www.imetrik.com/>
>
> On Oct 1, 2015, at 10:37 AM, Stian Thorgersen <sthorger at redhat.com> wrote:
>
> Just tried it and the returned json for a user is:
>
>
>  {"id":"354094d6-8b32-4c32-b1ae-ccd82c5fdca3","createdTimestamp":1443710165680,"username":"admin","enabled":true,"totp":false,"emailVerified":false,"attributes":{"locale":["en"]},"requiredActions":[]}
>
> Which doesn't include the roles field. So this is shown because the way
> you are printing the user, not because it's included on the wire.
>
> On 1 October 2015 at 16:34, Stian Thorgersen <sthorger at redhat.com> wrote:
>
>> Is that the json sent on the wire, or is it after you've marshalled it to
>> UserRepresentation and then printed it back again?
>>
>> On 1 October 2015 at 15:34, Remi Cartier <remi.cartier at imetrik.com>
>> wrote:
>>
>>> yes,
>>>
>>> I can see :
>>>
>>> [
>>>     {
>>>         "applicationRoles": null,
>>>         "attributes": {
>>>             "key1": [
>>>                 "value1"
>>>             ]
>>>         },
>>>         "clientConsents": null,
>>>         "clientRoles": null,
>>>         "createdTimestamp": 1443542144845,
>>>         "credentials": null,
>>>         "email": null,
>>>         "emailVerified": true,
>>>         "enabled": true,
>>>         "federatedIdentities": null,
>>>         "federationLink": null,
>>>         "firstName": "first name",
>>>         "id": "0556717e-ffb9-4c2d-b85b-533d9396f243",
>>>         "lastName": "last name",
>>>         "realmRoles": null,
>>>         "requiredActions": [],
>>>         "self": null,
>>>         "serviceAccountClientId": null,
>>>         "socialLinks": null,
>>>         "totp": false,
>>>         "username": "admin"
>>>     }
>>> ]
>>>
>>> when doing the query : GET /auth/admin/realms/imetrik/users?first=0&max=
>>> 2147483647
>>>
>>> ------------------------------
>>>
>>>
>>> REMI CARTIER
>>> B.O.S.S. (Business & Operation Support Systems) P.O (Product Owner)
>>>
>>> *IMETRIK GLOBAL INC.*
>>> *T :* +1 514 448-6407 x2009
>>> *T :* +1 866 276-5382 (toll free)
>>> *F :* +1 514 904-0611
>>>
>>> 740 Notre Dame St. West, Suite 1575
>>> Montreal, Quebec, Canada H3C 3X6
>>> imetrik.com <http://www.imetrik.com/>
>>>
>>> On Oct 1, 2015, at 2:49 AM, Stian Thorgersen <sthorger at redhat.com>
>>> wrote:
>>>
>>> Sorry, I meant does it include the "roles" field?
>>>
>>> On 30 September 2015 at 16:24, Remi Cartier <remi.cartier at imetrik.com>
>>> wrote:
>>>
>>>> The JSON response (string) does NOT contain any roles.
>>>>
>>>> ------------------------------
>>>> *From:* Stian Thorgersen [sthorger at redhat.com]
>>>> *Sent:* Wednesday, September 30, 2015 7:39 AM
>>>> *To:* Remi Cartier
>>>> *Cc:* Marek Posolda; keycloak-dev at lists.jboss.org
>>>>
>>>> *Subject:* Re: [keycloak-dev] Admin REST - User Roles
>>>>
>>>> Does the response actually contain the roles though? You're parsing to UserRepresentation
>>>> then printing it out afterwards.
>>>>
>>>> On 30 September 2015 at 13:24, Remi Cartier <remi.cartier at imetrik.com>
>>>> wrote:
>>>>
>>>>> Marek,
>>>>>
>>>>> I see, thank you for your reply.
>>>>>
>>>>> Wouldn't it be less error/question prone if the endpoint returning all
>>>>> the users wouldn't show the *roles attributes ?
>>>>> Because they will always be null if I understood correctly.
>>>>>
>>>>> Regards.
>>>>>
>>>>> Rémi.
>>>>>
>>>>> ------------------------------
>>>>> *From:* Marek Posolda [mposolda at redhat.com]
>>>>> *Sent:* Wednesday, September 30, 2015 6:21 AM
>>>>> *To:* Remi Cartier; keycloak-dev at lists.jboss.org
>>>>> *Subject:* Re: [keycloak-dev] Admin REST - User Roles
>>>>>
>>>>> Hi,
>>>>>
>>>>> to retrieve realm role mappings of user, you need to use the endpoint
>>>>> like http://localhost:8080/auth/admin/realms/demo/users/{userid}/role-mappings/realm
>>>>> . See the docs for details:
>>>>> http://keycloak.github.io/docs/rest-api/overview-index.html
>>>>>
>>>>> Marek
>>>>>
>>>>> On 29/09/15 19:06, Remi Cartier wrote:
>>>>>
>>>>> Hi guys,
>>>>>
>>>>> first of all, thank you for that great piece of software, it’s amazing
>>>>> !
>>>>>
>>>>> Now, down to business.
>>>>>
>>>>> When I do :
>>>>>
>>>>>         keycloak = Keycloak.getInstance(getKeycloakServerURL(),
>>>>> getKeycloakRealm(), getKeycloakRealmAdminUsername(),
>>>>> getKeycloakRealmAdminPassword(), getKeycloakClientId());
>>>>>         for (UserRepresentation userRepresentation :
>>>>> keycloak.realm(getKeycloakRealm()).users().search(null, 0,
>>>>> Integer.MAX_VALUE)) {
>>>>>             log.info(ToStringBuilder.reflectionToString(userRepresentation,
>>>>> ToStringStyle.JSON_STYLE));
>>>>>         }
>>>>>
>>>>> The information I get does not contain any roles, all the roles
>>>>> related fields are ‘null’. -
>>>>>
>>>>> {"self":null,"id":"0556717e-ffb9-4c2d-b85b-533d9396f243","createdTimestamp":1443542144845,"username":"admin","enabled":true,"totp":false,"emailVerified":true,"firstName":"first
>>>>> name","lastName":"last
>>>>> name","email":null,"federationLink":null,"serviceAccountClientId":null,"attributes":{key1=[value1]},"credentials":null,"requiredActions":[],"federatedIdentities":null,"realmRoles":null,"clientRoles":null,"clientConsents":null,"applicationRoles":null,"socialLinks":null}
>>>>> However in the admin interface I have setup roles at each layer :
>>>>> realm, client
>>>>>
>>>>> The user I am using to do the queries has all the *realm* roles
>>>>> associated.
>>>>>
>>>>> is there anything else I need to do ?
>>>>>
>>>>> thank you for your help !
>>>>>
>>>>> ------------------------------
>>>>>
>>>>>
>>>>> REMI CARTIER
>>>>> B.O.S.S. (Business & Operation Support Systems) P.O (Product Owner)
>>>>>
>>>>> *IMETRIK GLOBAL INC.*
>>>>> *T :* +1 514 448-6407 x2009
>>>>> *T :* +1 866 276-5382 (toll free)
>>>>> *F :* +1 514 904-0611
>>>>>
>>>>> 740 Notre Dame St. West, Suite 1575
>>>>> Montreal, Quebec, Canada H3C 3X6
>>>>> imetrik.com <http://www.imetrik.com/>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-dev mailing listkeycloak-dev at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-dev mailing list
>>>>> keycloak-dev at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>
>>>>
>>>>
>>>
>>>
>>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20151002/87ade010/attachment-0001.html 