[keycloak-user] How to access realms/{realm}/users/{user} with Application
Bill Burke
bburke at redhat.com
Tue Mar 4 15:46:04 EST 2014
On 3/4/2014 2:15 PM, Dean Peterson wrote:
> Hello,
>
> I am trying to find the best way to access the UsersResource.java Rest
> services outside the keycloak admin application to get a user's
> information. How do I make a request using just the client's credentials?
>
You just want basic information right? name, email, etc.? Next release
(March 13th) we'll have OpenID Connect support. SkeletonKeysession
(renamed to KeycloakSecurityContext) will have a reference to an IDToken
which can be populated with various user information (claims). Allowed
claims are specified per application/oauth client.
You can build and use this right now. View the
preconfigured/customer-portal examples to see how its being done right
If you don't want to build/run from master you can do a POST to
/auth/rest/realms/keycloak-admin/tokens/grants/access
URL form encoded parameters of:
username=admin
password=admin-password
This will return an access token which you can use to invoke on the
admin REST API. *NOTE* we're chaning this particular REST API next
release too :(
> I currently use something like this but I get a 401 because I am using a
> user's oauth token and they only have user privileges:
> SkeletonKeySession session = (SkeletonKeySession) request
> .getAttribute(SkeletonKeySession.class.getName());
> ResteasyClient client = new ResteasyClientBuilder()
> .trustStore(session.getMetadata().getTruststore())
> .hostnameVerification(
>
> ResteasyClientBuilder.HostnameVerificationPolicy.ANY)
> .build();
>
> String username = request.getRemoteUser();
>
> Profile profile = null;
>
> try {
>
> Response response = client
>
> .target("http://server:8080/auth/rest/admin/realms/myrealm/users/")
> .path(username)
> .request()
> .header(HttpHeaders.AUTHORIZATION,
> "Bearer " + session.getTokenString()).get();
>
> // Get the existing entry if there is one. Otherwise, just
> return
> // the regular
> // entity retrieved from the remote system.
> try {
> profile = profileRepository
> .findByRegistrationId(member.getId());
>
> } catch (NoResultException e) {
> // ignore
> }
>
> } finally {
> client.close();
> }
>
> Is there a way for the application to make a request directly as an
> admin without giving the user admin privileges?
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-user
mailing list