[keycloak-user] How to access realms/{realm}/users/{user} with Application

Tue Mar 4 15:46:04 EST 2014

On 3/4/2014 2:15 PM, Dean Peterson wrote:
> Hello,
>
> I am trying to find the best way to access the UsersResource.java Rest
> services outside the keycloak admin application to get a user's
> information.  How do I make a request using just the client's credentials?
>

You just want basic information right?  name, email, etc.?  Next release 
(March 13th) we'll have OpenID Connect support.  SkeletonKeysession 
(renamed to KeycloakSecurityContext) will have a reference to an IDToken 
which can be populated with various user information (claims).  Allowed 
claims are specified per application/oauth client.

You can build and use this right now.  View the 
preconfigured/customer-portal examples to see how its being done right

If you don't want to build/run from master you can do a POST to 
/auth/rest/realms/keycloak-admin/tokens/grants/access

URL form encoded parameters of:

username=admin	
password=admin-password

This will return an access token which you can use to invoke on the 
admin REST API.  *NOTE* we're chaning this particular REST API next 
release too :(

> I currently use something like this but I get a 401 because I am using a
> user's oauth token and they only have user privileges:
> SkeletonKeySession session = (SkeletonKeySession) request
>                  .getAttribute(SkeletonKeySession.class.getName());
>          ResteasyClient client = new ResteasyClientBuilder()
>                  .trustStore(session.getMetadata().getTruststore())
>                  .hostnameVerification(
>
> ResteasyClientBuilder.HostnameVerificationPolicy.ANY)
>                  .build();
>
>          String username = request.getRemoteUser();
>
>          Profile profile = null;
>
>          try {
>
>              Response response = client
>
> .target("http://server:8080/auth/rest/admin/realms/myrealm/users/")
>                      .path(username)
>                      .request()
>                      .header(HttpHeaders.AUTHORIZATION,
>                              "Bearer " + session.getTokenString()).get();
>
>              // Get the existing entry if there is one. Otherwise, just
> return
>              // the regular
>              // entity retrieved from the remote system.
>              try {
>                  profile = profileRepository
>                          .findByRegistrationId(member.getId());
>
>              } catch (NoResultException e) {
>                  // ignore
>              }
>
>          } finally {
>              client.close();
>          }
>
> Is there a way for the application to make a request directly as an
> admin without giving the user admin privileges?
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com