[keycloak-user] Create client in master realm with API
Christian Bauer
mail at christianbauer.name
Mon Feb 22 10:21:44 EST 2016
Hi Bill, long time no see. Seems like we are both stuck with this Java thing. :)
I'm authenticating with the admin user/password which I've set as env variables when starting Docker container. Nothing else was changed on the default install. This is the access token:
{
"jti": "285d19a2-8ae3-4e0e-b05f-454d04c7812c",
"exp": 1.456140094E9,
"nbf": 0,
"iat": 1.456140034E9,
"iss": "http://192.168.99.100:8082/auth/realms/master",
"aud": "admin-cli",
"sub": "1219f695-bf7a-4496-a021-52586de58ed5",
"typ": "Bearer",
"azp": "admin-cli",
"session_state": "22d4dc19-e755-4ce0-9508-66ffad608215",
"client_session": "97f937f9-9fce-4441-9684-46d5daa262ce",
"allowed-origins": [
],
"realm_access": {
"roles": [
"create-realm",
"admin"
]
},
"resource_access": {
"master-realm": {
"roles": [
"view-identity-providers",
"manage-events",
"view-realm",
"manage-realm",
"manage-identity-providers",
"impersonation",
"view-events",
"create-client",
"manage-users",
"view-users",
"view-clients",
"manage-clients"
]
}
},
"name": "",
"preferred_username": "admin"
}
That looks like it should give me superuser access. But POSTing with that token on "/auth/realms/master/clients/default" is Forbidden, because ClientRegistrationAuth.java checks for "realm-management" resource claims and not "master-realm":
Map<String, List<String>> realmManagement = resourceAccess.get(Constants.REALM_MANAGEMENT_CLIENT_ID);
if (realmManagement == null) {
return false;
}
As I said, I might be doing something wrong but I don't know where else to look. I haven't figured out yet how the user/roles/client etc. mappings work.
> On 22.02.2016, at 16:10, keycloak-user-request at lists.jboss.org wrote:
>
> What do you mean when you say you have "super user" roles?
>
> * Your user is in the master realm?
> * Which exact roles are assigned to this user?
>
> BTW, is this THE Christian Bauer of Hibernate fame? If so, how's life?
>
> On 2/22/2016 9:02 AM, Christian Bauer wrote:
>> Hi
>>
>> I'm trying to implement a multi-tenant system that should use Keycloak, from its Docker image. I'd like to use the Keycloak admin API from another container. My first goal is to create a new client in the master realm for my tenant administration app, then create realms for each tenant, etc.
>>
>> To do this I'm using the admin-cli client in the master realm with public direct grant authentication, and I can get an authentication token with superuser roles for the admin user.
>>
>> Next I tried to POST /auth/realms/master/clients/default with a client representation and the admin-cli bearer token. This is forbidden, because though I have superuser roles, I don't have the Constants.REALM_MANAGEMENT_CLIENT_ID resource roles required in ClientRegistrationAuth:177.
>>
>> I'm not sure I'm doing this right. The console web UI probably has the same roles if I'm logged in as admin and it's able to create users.
>>
>> I guess I could step further through the code to find the difference. Other options I've considered:
>>
>> - Don't create a new client in the master realm and continue using the admin-cli client for superuser tasks.
>>
>> - Adjust the Docker image bootstrap so it exports the initial database, then manipulate the exported files with some JSON transformer, then import again.
>>
>> - Hacking the themes/Angular frontend of the security-admin-console and use this to implement my tenant/user administration app.
>>
>> Thoughts?
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
More information about the keycloak-user
mailing list