<div dir="ltr">Client registration service can only be invoked by a user from the realm you are creating a client in, so users in the master realm can only create clients in the master realm.<div><br></div><div>IMO you should use the client registration services, supported initial access tokens and leave realm creation to another process. Creating a realm is part of installing the Keycloak server, not installing the client.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On 8 March 2016 at 01:14, John Dennis <span dir="ltr"><<a href="mailto:jdennis@redhat.com" target="_blank">jdennis@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Chapter 9.1.1 of the Keycloak Reference Guide<br>
(<a href="http://keycloak.github.io/docs/userguide/keycloak-server/html/index.html" rel="noreferrer" target="_blank">http://keycloak.github.io/docs/userguide/keycloak-server/html/index.html</a>)<br>
says that a bearer token can be used to register a client provided the<br>
user has the create-client or manage-client role on the realm.<br>
<br>
Chapter 6 discusses how to create a user in the master realm who can<br>
administer a specific realm. I followed those instructions and created<br>
a user and assigned them the create-client role in the desired realm.<br>
<br>
I then obtained a token for that user by posting to<br>
auth/realms/master/protocol/openid-connect/token with the username and<br>
password for the realm administrator I created along with the<br>
client-id of "admin-cli" (not sure if this is the right client id for<br>
this purpose, can someone explain selecting the proper client id?).<br>
<br>
I received back a token and then used this as an authorization bearer<br>
token when POSTing to the<br>
auth/realms/{realm}/clients/saml2-entity-descriptor to create a SAML<br>
SP client in the realm. However this fails with an 403 Forbidden<br>
response and the message "Invalid signature".<br>
<br>
This error seems to be generated by the ClientRegistrationTokenUtils<br>
class in the method parseToken() which is called in the init() method<br>
of the ClientRegistrationAuth class. As far as I can tell the<br>
parseToken() method is using the public key for the realm. But the<br>
token is not from the realm, the token is from the master realm where<br>
the realm's admin is located.<br>
<br>
For the bearer token to work when registering a client it would seem<br>
the token would have belong to a user in the realm, not the master<br>
realm as discussed in Chapter 6.<br>
<br>
How is client creation supposed to work with a bearer token instead of<br>
using an initial access token?<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
John<br>
_______________________________________________<br>
keycloak-dev mailing list<br>
<a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
</font></span></blockquote></div><br></div>