[keycloak-user] REST API client allowRemoteResourceManagement

Sven Thoms sven.thoms at gmail.com
Thu Mar 9 07:20:46 EST 2017 

Hello Pedro

I see and get the general idea.  I will try setting it via the endpoint you
mentioned.  Should be ok. If not,  I will get back to you here.

Thanks

Sven

Am 09.03.2017 1:13 nachm. schrieb "Pedro Igor Silva" <psilva at redhat.com>:

> Now I see. The "authorizationSettings" is not used at all when
> creating/updating a client.  Reason for that we tried to decouple authz
> functionality from the rest as much as we can when we introduce it.
>
> To change authz settings you need a call to https://keycloak.fin.
> uniquedomain/auth/auth/admin/realms/servlet-authz/clients/{
> client_id}/authz/resource-server (maybe you can check how admin console
> is doing this).
>
> You can also use the Keycloak Admin Client Java API to import settings for
> a client.
>
> On Thu, Mar 9, 2017 at 8:55 AM, Sven Thoms <sven.thoms at gmail.com> wrote:
>
>>  curl -X POST \
>>  -H "Content-Type: application/x-www-form-urlencoded" \
>>  -d "client_id=admin-cli&username=admin&password=xxx&grant_type=password"
>> \
>>  https://keycloak.fin.uniquedomain/auth/realms/master/protocol/openid-
>> connect/token
>> <https://keycloak.fin.uniquedomain/auth/realms/master/protocol/openid-connect/token>
>> | jq
>>
>> I am using the access_token as bearer token in the ADMIN REST interface:
>>
>> curl -v -X POST \
>>  -H "Content-Type:application/json" \
>>  -H 'Authorization: bearer xxxxx' \
>>  -d '{
>>  "clientId": "test_client",
>>      "name": "test_client",
>>      "rootUrl": "",
>>      "adminUrl": "",
>>      "surrogateAuthRequired": false,
>>      "enabled": true,
>>      "clientAuthenticatorType": "client-secret",
>>      "redirectUris": [
>>        "/*"
>>      ],
>>      "webOrigins": [
>>        "/*"
>>      ],
>>      "notBefore": 0,
>>      "bearerOnly": false,
>>      "consentRequired": false,
>>      "standardFlowEnabled": true,
>>      "implicitFlowEnabled": false,
>>      "directAccessGrantsEnabled": true,
>>      "serviceAccountsEnabled": true,
>>      "authorizationServicesEnabled": true,
>>      "publicClient": false,
>>      "frontchannelLogout": false,
>>      "protocol": "openid-connect",
>>      "fullScopeAllowed": true,
>>      "authorizationSettings":
>>      {
>>       "allowRemoteResourceManagement": true,
>>       "policyEnforcementMode": "ENFORCING",
>>       "resources": [
>>         {
>>           "name": "Default Resource",
>>           "uri": "/*",
>>           "type": "urn:test_client:resources:default",
>>           "typedScopes": []
>>         }
>>       ],
>>       "policies": [
>>         {
>>           "name": "Default Policy",
>>           "description": "A policy that grants access only for users
>> within
>> this realm",
>>           "type": "js",
>>           "logic": "POSITIVE",
>>           "decisionStrategy": "AFFIRMATIVE",
>>           "config": {
>>             "code": "// by default, grants any permission associated with
>> this policy\n$evaluation.grant();\n"
>>           }
>>         },
>>         {
>>           "name": "Default Permission",
>>           "description": "A permission that applies to the default
>> resource
>> type",
>>           "type": "resource",
>>           "logic": "POSITIVE",
>>           "decisionStrategy": "UNANIMOUS",
>>           "config": {
>>             "defaultResourceType": "urn:test_client:resources:default",
>>             "default": "true",
>>             "applyPolicies": "[\"Default Policy\"]"
>>           }
>>         }
>>       ],
>>       "scopes": []
>>      }
>>  }' \
>>  https://keycloak.fin.uniquedomain/auth/admin/realms/myrealm/clients
>>
>> The client is added correctly, and it is now a resource with the authZ
>> resources and permissions, but under Authorization - Settings, Remote
>> Resource Management is still off.
>>
>>
>> Am 09.03.2017 12:49 nachm. schrieb "Pedro Igor Silva" <psilva at redhat.com
>> >:
>>
>> > What are you using to call the API ?
>> >
>> > On Thu, Mar 9, 2017 at 7:17 AM, Sven Thoms <sven.thoms at gmail.com>
>> wrote:
>> >
>> >> Both on the POST and PUT for client, with authorizationservicesenabled
>> Set
>> >> to true,  I cannot set
>> >>
>> >> allowRemoteResourceManagement
>> >>
>> >> to true.  It is as if the Admin REST interface just ignores that
>> setting.
>> >>
>> >> Can anyone confirm and possibly explain,  please?
>> >> _______________________________________________
>> >> keycloak-user mailing list
>> >> keycloak-user at lists.jboss.org
>> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >>
>> >
>> >
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

More information about the keycloak-user mailing list