[keycloak-user] Multi tenant plus administration Rest api

Stephen More stephen.more at gmail.com
Sun Jul 12 09:32:33 EDT 2015 

Everything seems to be working now. I have created a pull request:
https://github.com/keycloak/keycloak/pull/1445

Hopefully this will help someone else out in the future.
On Jul 11, 2015 7:33 AM, "Stephen More" <stephen.more at gmail.com> wrote:

> I added:
>    "realm-management": [ "realm-admin" ],
> to:
>    "clientRoles": {
>
> Now I am getting:
>     07:25:37,948 WARN  [org.jboss.resteasy.core.ExceptionHandler] (default
> task-92) Failed executing GET /admin/realms/tenant1/roles:
> org.jboss.resteasy.spi.UnauthorizedException: Bearer
>         at
> org.keycloak.services.resources.admin.AdminRoot.authenticateRealmAdminRequest(AdminRoot.java:152)
>         at
> org.keycloak.services.resources.admin.AdminRoot.getRealmsAdmin(AdminRoot.java:183)
>         at sun.reflect.GeneratedMethodAccessor339.invoke(Unknown Source)
>         at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>         at java.lang.reflect.Method.invoke(Method.java:606)
>
>
>
> On Wed, Jul 8, 2015 at 6:20 AM, Marek Posolda <mposolda at redhat.com> wrote:
>
>>  It looks like authorization issue. Your user either doesn't have
>> required roles or your client is missing scopes (which means that roles are
>> not propagated to accessToken).
>>
>> To just view roles, you need role "view-realm" of client
>> "realm-management" .
>>
>> Marek
>>
>>
>> On 7.7.2015 18:46, Stephen More wrote:
>>
>>  I have tried to add:
>>         org.keycloak.representations.IDToken idToken =
>> principal.getKeycloakSecurityContext().getIdToken();
>>         org.keycloak.representations.AccessToken token =
>> principal.getKeycloakSecurityContext().getToken();
>>
>>         writer.write("<br/>Access Token id: " + token.getId());
>>         writer.write("<br/>Access Token String: " +
>> principal.getKeycloakSecurityContext().getTokenString());
>>         writer.write("<br/>ID Token id: " + idToken.getId());
>>         writer.write("<br/>ID Token String: " +
>> principal.getKeycloakSecurityContext().getIdTokenString());
>>
>>         writer.write(String.format("<br/><a
>> href=\"/multitenant/%s/logout\">Logout</a>", realm));
>>
>>         try
>>         {
>>                 java.net.URL url = new java.net.URL( "
>> http://localhost:8080/auth/admin/realms/" +
>> principal.getKeycloakSecurityContext().getRealm() + "/roles" );
>>                 java.net.HttpURLConnection conn =
>> (java.net.HttpURLConnection)url.openConnection();
>>                 conn.setRequestMethod( "GET" );
>>                 conn.setRequestProperty("Authorization", "Bearer " +
>> principal.getKeycloakSecurityContext().getTokenString());
>>                 java.io.BufferedReader in = new java.io.BufferedReader(
>> new java.io.InputStreamReader( conn.getInputStream()));
>>                 String line;
>>                 while ((line = in.readLine()) != null)
>>                 {
>>                     writer.write( line );
>>                 }
>>                 in.close();
>>         }
>>         catch( Exception e )
>>         {
>>                 e.printStackTrace();
>>         }
>>
>>  to
>> keycloak-demo-1.3.1.Final/examples/multi-tenant/src/main/java/org/keycloak/example/multitenant/boundary/ProtectedServlet.java
>>
>>  But I am getting an error:
>> 12:28:28,317 WARN  [org.jboss.resteasy.core.ExceptionHandler] (default
>> task-16) Failed executing GET /admin/realms/tenant1/roles:
>> org.keycloak.services.ForbiddenException
>>
>>
>> In stepping through the AdminClient of the admin-access-app I have found
>> an example bearer token was 1157 characters long.
>>
>> principal.getKeycloakSecurityContext().getIdTokenString() turned out to
>> be 645 characters long.
>>
>> principal.getKeycloakSecurityContext().getTokenString() turned out to be
>> 865 characters long.
>>
>>
>>  What is it that I am missing ?
>>
>> On Tue, Jul 7, 2015 at 10:08 AM, Bill Burke <bburke at redhat.com> wrote:
>>
>>> The access token should already be available.
>>>
>>> On 7/7/2015 10:01 AM, Stephen More wrote:
>>> > Or perhaps a better question would be: Once a user is already logged
>>> > into keycloak, how can a
>>> > org.keycloak.representations.AccessTokenResponse without providing a
>>> > password a second time ?
>>> >
>>> > On Sun, Jul 5, 2015 at 12:00 PM, Stephen More <stephen.more at gmail.com
>>> > <mailto:stephen.more at gmail.com>> wrote:
>>> >
>>> >     How could I extend the multi-tenant example (
>>> >     https://github.com/keycloak/keycloak/tree/master/examples/
>>> >     <
>>> https://github.com/keycloak/keycloak/tree/master/examples/multi-tenant
>>> >multi-tenant
>>> >     ) to make a Rest admin api call back to keycloak using java ?
>>> >
>>> >     I think this would be a helpful example in upcoming releases.
>>> >
>>> >     Thanks
>>> >
>>> >
>>> >
>>> >
>>> > _______________________________________________
>>> > keycloak-user mailing list
>>> > keycloak-user at lists.jboss.org
>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> >
>>>
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>> http://bill.burkecentral.com
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150712/c9c23211/attachment-0001.html

More information about the keycloak-user mailing list