[keycloak-user] Multi tenant plus administration Rest api
Stephen More
stephen.more at gmail.com
Sun Jul 12 09:32:33 EDT 2015
Everything seems to be working now. I have created a pull request:
https://github.com/keycloak/keycloak/pull/1445
Hopefully this will help someone else out in the future.
On Jul 11, 2015 7:33 AM, "Stephen More" <stephen.more at gmail.com> wrote:
> I added:
> "realm-management": [ "realm-admin" ],
> to:
> "clientRoles": {
>
> Now I am getting:
> 07:25:37,948 WARN [org.jboss.resteasy.core.ExceptionHandler] (default
> task-92) Failed executing GET /admin/realms/tenant1/roles:
> org.jboss.resteasy.spi.UnauthorizedException: Bearer
> at
> org.keycloak.services.resources.admin.AdminRoot.authenticateRealmAdminRequest(AdminRoot.java:152)
> at
> org.keycloak.services.resources.admin.AdminRoot.getRealmsAdmin(AdminRoot.java:183)
> at sun.reflect.GeneratedMethodAccessor339.invoke(Unknown Source)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:606)
>
>
>
> On Wed, Jul 8, 2015 at 6:20 AM, Marek Posolda <mposolda at redhat.com> wrote:
>
>> It looks like authorization issue. Your user either doesn't have
>> required roles or your client is missing scopes (which means that roles are
>> not propagated to accessToken).
>>
>> To just view roles, you need role "view-realm" of client
>> "realm-management" .
>>
>> Marek
>>
>>
>> On 7.7.2015 18:46, Stephen More wrote:
>>
>> I have tried to add:
>> org.keycloak.representations.IDToken idToken =
>> principal.getKeycloakSecurityContext().getIdToken();
>> org.keycloak.representations.AccessToken token =
>> principal.getKeycloakSecurityContext().getToken();
>>
>> writer.write("<br/>Access Token id: " + token.getId());
>> writer.write("<br/>Access Token String: " +
>> principal.getKeycloakSecurityContext().getTokenString());
>> writer.write("<br/>ID Token id: " + idToken.getId());
>> writer.write("<br/>ID Token String: " +
>> principal.getKeycloakSecurityContext().getIdTokenString());
>>
>> writer.write(String.format("<br/><a
>> href=\"/multitenant/%s/logout\">Logout</a>", realm));
>>
>> try
>> {
>> java.net.URL url = new java.net.URL( "
>> http://localhost:8080/auth/admin/realms/" +
>> principal.getKeycloakSecurityContext().getRealm() + "/roles" );
>> java.net.HttpURLConnection conn =
>> (java.net.HttpURLConnection)url.openConnection();
>> conn.setRequestMethod( "GET" );
>> conn.setRequestProperty("Authorization", "Bearer " +
>> principal.getKeycloakSecurityContext().getTokenString());
>> java.io.BufferedReader in = new java.io.BufferedReader(
>> new java.io.InputStreamReader( conn.getInputStream()));
>> String line;
>> while ((line = in.readLine()) != null)
>> {
>> writer.write( line );
>> }
>> in.close();
>> }
>> catch( Exception e )
>> {
>> e.printStackTrace();
>> }
>>
>> to
>> keycloak-demo-1.3.1.Final/examples/multi-tenant/src/main/java/org/keycloak/example/multitenant/boundary/ProtectedServlet.java
>>
>> But I am getting an error:
>> 12:28:28,317 WARN [org.jboss.resteasy.core.ExceptionHandler] (default
>> task-16) Failed executing GET /admin/realms/tenant1/roles:
>> org.keycloak.services.ForbiddenException
>>
>>
>> In stepping through the AdminClient of the admin-access-app I have found
>> an example bearer token was 1157 characters long.
>>
>> principal.getKeycloakSecurityContext().getIdTokenString() turned out to
>> be 645 characters long.
>>
>> principal.getKeycloakSecurityContext().getTokenString() turned out to be
>> 865 characters long.
>>
>>
>> What is it that I am missing ?
>>
>> On Tue, Jul 7, 2015 at 10:08 AM, Bill Burke <bburke at redhat.com> wrote:
>>
>>> The access token should already be available.
>>>
>>> On 7/7/2015 10:01 AM, Stephen More wrote:
>>> > Or perhaps a better question would be: Once a user is already logged
>>> > into keycloak, how can a
>>> > org.keycloak.representations.AccessTokenResponse without providing a
>>> > password a second time ?
>>> >
>>> > On Sun, Jul 5, 2015 at 12:00 PM, Stephen More <stephen.more at gmail.com
>>> > <mailto:stephen.more at gmail.com>> wrote:
>>> >
>>> > How could I extend the multi-tenant example (
>>> > https://github.com/keycloak/keycloak/tree/master/examples/
>>> > <
>>> https://github.com/keycloak/keycloak/tree/master/examples/multi-tenant
>>> >multi-tenant
>>> > ) to make a Rest admin api call back to keycloak using java ?
>>> >
>>> > I think this would be a helpful example in upcoming releases.
>>> >
>>> > Thanks
>>> >
>>> >
>>> >
>>> >
>>> > _______________________________________________
>>> > keycloak-user mailing list
>>> > keycloak-user at lists.jboss.org
>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> >
>>>
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>> http://bill.burkecentral.com
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150712/c9c23211/attachment-0001.html
More information about the keycloak-user
mailing list