[keycloak-user] REST API client allowRemoteResourceManagement
Pedro Igor Silva
psilva at redhat.com
Thu Mar 9 07:13:45 EST 2017
Now I see. The "authorizationSettings" is not used at all when
creating/updating a client. Reason for that we tried to decouple authz
functionality from the rest as much as we can when we introduce it.
To change authz settings you need a call to
https://keycloak.fin.uniquedomain/auth/auth/admin/realms/servlet-authz/clients/{client_id}/authz/resource-server
(maybe you can check how admin console is doing this).
You can also use the Keycloak Admin Client Java API to import settings for
a client.
On Thu, Mar 9, 2017 at 8:55 AM, Sven Thoms <sven.thoms at gmail.com> wrote:
> curl -X POST \
> -H "Content-Type: application/x-www-form-urlencoded" \
> -d "client_id=admin-cli&username=admin&password=xxx&grant_type=password"
> \
> https://keycloak.fin.uniquedomain/auth/realms/master/protocol/openid-
> connect/token | jq
>
> I am using the access_token as bearer token in the ADMIN REST interface:
>
> curl -v -X POST \
> -H "Content-Type:application/json" \
> -H 'Authorization: bearer xxxxx' \
> -d '{
> "clientId": "test_client",
> "name": "test_client",
> "rootUrl": "",
> "adminUrl": "",
> "surrogateAuthRequired": false,
> "enabled": true,
> "clientAuthenticatorType": "client-secret",
> "redirectUris": [
> "/*"
> ],
> "webOrigins": [
> "/*"
> ],
> "notBefore": 0,
> "bearerOnly": false,
> "consentRequired": false,
> "standardFlowEnabled": true,
> "implicitFlowEnabled": false,
> "directAccessGrantsEnabled": true,
> "serviceAccountsEnabled": true,
> "authorizationServicesEnabled": true,
> "publicClient": false,
> "frontchannelLogout": false,
> "protocol": "openid-connect",
> "fullScopeAllowed": true,
> "authorizationSettings":
> {
> "allowRemoteResourceManagement": true,
> "policyEnforcementMode": "ENFORCING",
> "resources": [
> {
> "name": "Default Resource",
> "uri": "/*",
> "type": "urn:test_client:resources:default",
> "typedScopes": []
> }
> ],
> "policies": [
> {
> "name": "Default Policy",
> "description": "A policy that grants access only for users within
> this realm",
> "type": "js",
> "logic": "POSITIVE",
> "decisionStrategy": "AFFIRMATIVE",
> "config": {
> "code": "// by default, grants any permission associated with
> this policy\n$evaluation.grant();\n"
> }
> },
> {
> "name": "Default Permission",
> "description": "A permission that applies to the default resource
> type",
> "type": "resource",
> "logic": "POSITIVE",
> "decisionStrategy": "UNANIMOUS",
> "config": {
> "defaultResourceType": "urn:test_client:resources:default",
> "default": "true",
> "applyPolicies": "[\"Default Policy\"]"
> }
> }
> ],
> "scopes": []
> }
> }' \
> https://keycloak.fin.uniquedomain/auth/admin/realms/myrealm/clients
>
> The client is added correctly, and it is now a resource with the authZ
> resources and permissions, but under Authorization - Settings, Remote
> Resource Management is still off.
>
>
> Am 09.03.2017 12:49 nachm. schrieb "Pedro Igor Silva" <psilva at redhat.com>:
>
> > What are you using to call the API ?
> >
> > On Thu, Mar 9, 2017 at 7:17 AM, Sven Thoms <sven.thoms at gmail.com> wrote:
> >
> >> Both on the POST and PUT for client, with authorizationservicesenabled
> Set
> >> to true, I cannot set
> >>
> >> allowRemoteResourceManagement
> >>
> >> to true. It is as if the Admin REST interface just ignores that
> setting.
> >>
> >> Can anyone confirm and possibly explain, please?
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> >
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list