[keycloak-user] keycloak-user Digest, Vol 3, Issue 2

Dean Peterson peterson.dean at gmail.com
Wed Mar 5 15:41:42 EST 2014


I just saw Bill Burke's response.  I will try one of your two approaches.
 Yes, I just need the basic info so what you suggested will work for me.
 Thanks!


On Wed, Mar 5, 2014 at 2:29 PM, <keycloak-user-request at lists.jboss.org>wrote:

> Send keycloak-user mailing list submissions to
>         keycloak-user at lists.jboss.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.jboss.org/mailman/listinfo/keycloak-user
> or, via email, send a message with subject or body 'help' to
>         keycloak-user-request at lists.jboss.org
>
> You can reach the person managing the list at
>         keycloak-user-owner at lists.jboss.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of keycloak-user digest..."
>
>
> Today's Topics:
>
>    1.  Openshift installation (Davide Ungari)
>    2. How to access realms/{realm}/users/{user} with    Application
>       (Dean Peterson)
>    3. Re: How to access realms/{realm}/users/{user} with
>       Application (Bill Burke)
>    4. Re: How to access realms/{realm}/users/{user}     with
>       Application (Stian Thorgersen)
>    5. Re: How to access realms/{realm}/users/{user} with
>       Application (Dean Peterson)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sun, 2 Mar 2014 06:20:15 -0500 (EST)
> From: Davide Ungari <davide at billdrawer.com>
> Subject: [keycloak-user]  Openshift installation
> To: keycloak user list <keycloak-user at lists.jboss.org>
> Message-ID:
>         <
> 155451129.27399.1393759215776.open-xchange at app1.ox.registrar-servers.com>
>
> Content-Type: text/plain; charset="utf-8"
>
>
> At the end I got it!
> I followed the instructions of  section 4.1 "Create Keycloak instance with
> the
> web tool" instead of the command-line tool.
>
> Davide Ungari, Founder
> www.billdrawer.com | davide at billdrawer.com
> Milan, IT
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://lists.jboss.org/pipermail/keycloak-user/attachments/20140302/7bc0c0a7/attachment-0001.html
>
> ------------------------------
>
> Message: 2
> Date: Tue, 4 Mar 2014 13:15:31 -0600
> From: Dean Peterson <peterson.dean at gmail.com>
> Subject: [keycloak-user] How to access realms/{realm}/users/{user}
>         with    Application
> To: keycloak-user at lists.jboss.org
> Message-ID:
>         <CAFGzvPkrgJtAq=
> 6jAJOsa9x8cw4Boo3PEO3nDEPAz8eSUa6AOg at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hello,
>
> I am trying to find the best way to access the UsersResource.java Rest
> services outside the keycloak admin application to get a user's
> information.  How do I make a request using just the client's credentials?
>
> I currently use something like this but I get a 401 because I am using a
> user's oauth token and they only have user privileges:
> SkeletonKeySession session = (SkeletonKeySession) request
>                 .getAttribute(SkeletonKeySession.class.getName());
>         ResteasyClient client = new ResteasyClientBuilder()
>                 .trustStore(session.getMetadata().getTruststore())
>                 .hostnameVerification(
>
> ResteasyClientBuilder.HostnameVerificationPolicy.ANY)
>                 .build();
>
>         String username = request.getRemoteUser();
>
>         Profile profile = null;
>
>         try {
>
>             Response response = client
>                     .target("
> http://server:8080/auth/rest/admin/realms/myrealm/users/")
>                     .path(username)
>                     .request()
>                     .header(HttpHeaders.AUTHORIZATION,
>                             "Bearer " + session.getTokenString()).get();
>
>
>             // Get the existing entry if there is one. Otherwise, just
> return
>             // the regular
>             // entity retrieved from the remote system.
>             try {
>                 profile = profileRepository
>                         .findByRegistrationId(member.getId());
>
>             } catch (NoResultException e) {
>                 // ignore
>             }
>
>         } finally {
>             client.close();
>         }
>
> Is there a way for the application to make a request directly as an admin
> without giving the user admin privileges?
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://lists.jboss.org/pipermail/keycloak-user/attachments/20140304/061695ca/attachment-0001.html
>
> ------------------------------
>
> Message: 3
> Date: Tue, 04 Mar 2014 15:46:04 -0500
> From: Bill Burke <bburke at redhat.com>
> Subject: Re: [keycloak-user] How to access realms/{realm}/users/{user}
>         with Application
> To: keycloak-user at lists.jboss.org
> Message-ID: <53163B8C.3060605 at redhat.com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
>
>
> On 3/4/2014 2:15 PM, Dean Peterson wrote:
> > Hello,
> >
> > I am trying to find the best way to access the UsersResource.java Rest
> > services outside the keycloak admin application to get a user's
> > information.  How do I make a request using just the client's
> credentials?
> >
>
> You just want basic information right?  name, email, etc.?  Next release
> (March 13th) we'll have OpenID Connect support.  SkeletonKeysession
> (renamed to KeycloakSecurityContext) will have a reference to an IDToken
> which can be populated with various user information (claims).  Allowed
> claims are specified per application/oauth client.
>
> You can build and use this right now.  View the
> preconfigured/customer-portal examples to see how its being done right
>
> If you don't want to build/run from master you can do a POST to
> /auth/rest/realms/keycloak-admin/tokens/grants/access
>
> URL form encoded parameters of:
>
> username=admin
> password=admin-password
>
> This will return an access token which you can use to invoke on the
> admin REST API.  *NOTE* we're chaning this particular REST API next
> release too :(
>
>
>
>
> > I currently use something like this but I get a 401 because I am using a
> > user's oauth token and they only have user privileges:
> > SkeletonKeySession session = (SkeletonKeySession) request
> >                  .getAttribute(SkeletonKeySession.class.getName());
> >          ResteasyClient client = new ResteasyClientBuilder()
> >                  .trustStore(session.getMetadata().getTruststore())
> >                  .hostnameVerification(
> >
> > ResteasyClientBuilder.HostnameVerificationPolicy.ANY)
> >                  .build();
> >
> >          String username = request.getRemoteUser();
> >
> >          Profile profile = null;
> >
> >          try {
> >
> >              Response response = client
> >
> > .target("http://server:8080/auth/rest/admin/realms/myrealm/users/")
> >                      .path(username)
> >                      .request()
> >                      .header(HttpHeaders.AUTHORIZATION,
> >                              "Bearer " + session.getTokenString()).get();
> >
> >              // Get the existing entry if there is one. Otherwise, just
> > return
> >              // the regular
> >              // entity retrieved from the remote system.
> >              try {
> >                  profile = profileRepository
> >                          .findByRegistrationId(member.getId());
> >
> >              } catch (NoResultException e) {
> >                  // ignore
> >              }
> >
> >          } finally {
> >              client.close();
> >          }
> >
> > Is there a way for the application to make a request directly as an
> > admin without giving the user admin privileges?
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
>
> ------------------------------
>
> Message: 4
> Date: Wed, 5 Mar 2014 04:09:35 -0500 (EST)
> From: Stian Thorgersen <stian at redhat.com>
> Subject: Re: [keycloak-user] How to access realms/{realm}/users/{user}
>         with    Application
> To: Dean Peterson <peterson.dean at gmail.com>
> Cc: keycloak-user at lists.jboss.org
> Message-ID:
>         <1739218212.20951754.1394010575408.JavaMail.zimbra at redhat.com>
> Content-Type: text/plain; charset=utf-8
>
> There's also a Keycloak specific mechanism for accessing the account of
> the user associated with the token.
>
> To do this open the scope mappings for your app/client, and select
> 'account' in the application roles, select 'view-profile' and click the
> right-arrow. This will allow your app/client to view the profile of the
> current user.
>
> Then you can make a request (with bearer token) to:
>
> /auth/rest/realms/myrealm/account
>
> In the future we'll add support to do all account specific things through
> these REST endpoints to support all operations provided by the account
> management application.
>
> ----- Original Message -----
> > From: "Dean Peterson" <peterson.dean at gmail.com>
> > To: keycloak-user at lists.jboss.org
> > Sent: Tuesday, 4 March, 2014 7:15:31 PM
> > Subject: [keycloak-user] How to access realms/{realm}/users/{user} with
>       Application
> >
> > Hello,
> >
> > I am trying to find the best way to access the UsersResource.java Rest
> > services outside the keycloak admin application to get a user's
> information.
> > How do I make a request using just the client's credentials?
> >
> > I currently use something like this but I get a 401 because I am using a
> > user's oauth token and they only have user privileges:
> > SkeletonKeySession session = (SkeletonKeySession) request
> > .getAttribute(SkeletonKeySession.class.getName());
> > ResteasyClient client = new ResteasyClientBuilder()
> > .trustStore(session.getMetadata().getTruststore())
> > .hostnameVerification(
> > ResteasyClientBuilder.HostnameVerificationPolicy.ANY)
> > .build();
> >
> > String username = request.getRemoteUser();
> >
> > Profile profile = null;
> >
> > try {
> >
> > Response response = client
> > .target(" http://server:8080/auth/rest/admin/realms/myrealm/users/ ")
> > .path(username)
> > .request()
> > .header(HttpHeaders.AUTHORIZATION,
> > "Bearer " + session.getTokenString()).get();
> >
> > // Get the existing entry if there is one. Otherwise, just return
> > // the regular
> > // entity retrieved from the remote system.
> > try {
> > profile = profileRepository
> > .findByRegistrationId(member.getId());
> >
> > } catch (NoResultException e) {
> > // ignore
> > }
> >
> > } finally {
> > client.close();
> > }
> >
> > Is there a way for the application to make a request directly as an admin
> > without giving the user admin privileges?
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> ------------------------------
>
> Message: 5
> Date: Wed, 5 Mar 2014 14:28:53 -0600
> From: Dean Peterson <peterson.dean at gmail.com>
> Subject: Re: [keycloak-user] How to access realms/{realm}/users/{user}
>         with    Application
> To: Stian Thorgersen <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Message-ID:
>         <CAFGzvPkYz5ZVwzJ+WmDoirWn=
> W3fW3kGV7GRvQxCCpeVC2ULAw at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Thank you.  I tried what you said.  I am able access that REST service on
> the Keycloak server but it returns an AccountService object.  Actually, I
> get a 406 error response on my end.  I think it is because I did not have
> the keycloak-services dependency in my application's pom.  However, when I
> add it and I try to start the server, I get the error: Could not find
> constructor for class: org.keycloak.services.resources.RealmsResource.
>  Should I make my own local version of AccountService and not add
> keycloak-services to my application?  What is the best approach?  Any ideas
> why I might be getting a 406 error?
>
> SkeletonKeySession session = (SkeletonKeySession) request
>                 .getAttribute(SkeletonKeySession.class.getName());
>         ResteasyClient client = new ResteasyClientBuilder()
>                 .trustStore(session.getMetadata().getTruststore())
>                 .hostnameVerification(
>
> ResteasyClientBuilder.HostnameVerificationPolicy.ANY)
>                 .build();
>
>         String username = request.getRemoteUser();
>
>         Profile profile = null;
>
>         try {
>
>             Response response = client
>                     .target("
> http://server:8080/auth/rest/realms/myrealm/account")
>                     .request()
>                     .header(HttpHeaders.AUTHORIZATION,
>                             "Bearer " + session.getTokenString()).get();
>
> .
> .
> .
>
>
>
> On Wed, Mar 5, 2014 at 3:09 AM, Stian Thorgersen <stian at redhat.com> wrote:
>
> > There's also a Keycloak specific mechanism for accessing the account of
> > the user associated with the token.
> >
> > To do this open the scope mappings for your app/client, and select
> > 'account' in the application roles, select 'view-profile' and click the
> > right-arrow. This will allow your app/client to view the profile of the
> > current user.
> >
> > Then you can make a request (with bearer token) to:
> >
> > /auth/rest/realms/myrealm/account
> >
> > In the future we'll add support to do all account specific things through
> > these REST endpoints to support all operations provided by the account
> > management application.
> >
> > ----- Original Message -----
> > > From: "Dean Peterson" <peterson.dean at gmail.com>
> > > To: keycloak-user at lists.jboss.org
> > > Sent: Tuesday, 4 March, 2014 7:15:31 PM
> > > Subject: [keycloak-user] How to access realms/{realm}/users/{user} with
> >       Application
> > >
> > > Hello,
> > >
> > > I am trying to find the best way to access the UsersResource.java Rest
> > > services outside the keycloak admin application to get a user's
> > information.
> > > How do I make a request using just the client's credentials?
> > >
> > > I currently use something like this but I get a 401 because I am using
> a
> > > user's oauth token and they only have user privileges:
> > > SkeletonKeySession session = (SkeletonKeySession) request
> > > .getAttribute(SkeletonKeySession.class.getName());
> > > ResteasyClient client = new ResteasyClientBuilder()
> > > .trustStore(session.getMetadata().getTruststore())
> > > .hostnameVerification(
> > > ResteasyClientBuilder.HostnameVerificationPolicy.ANY)
> > > .build();
> > >
> > > String username = request.getRemoteUser();
> > >
> > > Profile profile = null;
> > >
> > > try {
> > >
> > > Response response = client
> > > .target(" http://server:8080/auth/rest/admin/realms/myrealm/users/ ")
> > > .path(username)
> > > .request()
> > > .header(HttpHeaders.AUTHORIZATION,
> > > "Bearer " + session.getTokenString()).get();
> > >
> > > // Get the existing entry if there is one. Otherwise, just return
> > > // the regular
> > > // entity retrieved from the remote system.
> > > try {
> > > profile = profileRepository
> > > .findByRegistrationId(member.getId());
> > >
> > > } catch (NoResultException e) {
> > > // ignore
> > > }
> > >
> > > } finally {
> > > client.close();
> > > }
> > >
> > > Is there a way for the application to make a request directly as an
> admin
> > > without giving the user admin privileges?
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://lists.jboss.org/pipermail/keycloak-user/attachments/20140305/c27824e7/attachment.html
>
> ------------------------------
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> End of keycloak-user Digest, Vol 3, Issue 2
> *******************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140305/62d5f91f/attachment-0001.html 


More information about the keycloak-user mailing list