[keycloak-user] Can't set password when registering a user

Scott Finlay scott.finlay at sixt.com
Mon May 15 10:59:15 EDT 2017 

That's what we're doing already at the moment, but it's not really ideal. Having to make two requests to the admin API in order to register a user means the whole process takes twice as long (roughly 300ms). It's not an absolutely critical issue, but still not really nice, especially if we have to do a batch import from a legacy system for example.


If it's intentionally this way and there's no plan to change it then the documentation should be changed because it says you can provide a credential list (which you technically can, but that's very misleading).

________________________________
From: Marko Strukelj <mstrukel at redhat.com>
Sent: Monday, May 15, 2017 4:50:12 PM
To: Scott Finlay
Cc: Alex Berg; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Can't set password when registering a user

You need to invoke resetPassword on UserResource, after creating a new user :

    https://github.com/keycloak/keycloak/blob/3.1.0.Final/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/ApiUtil.java#L153-L159



On Mon, May 15, 2017 at 12:01 PM, Scott Finlay <scott.finlay at sixt.com<mailto:scott.finlay at sixt.com>> wrote:
Diving into the code, I see this, which seems to be the endpoint for creating a user:


https://github.com/keycloak/keycloak/blob/2.5.x/services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java#L207

This then calls:
https://github.com/keycloak/keycloak/blob/2.5.x/services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java#L244

That seems to just set the basic user data like name, email, enabled, etc. Then it sets the "required actions", and then the custom attributes. I see nothing regarding credentials there.


Is this just hidden away somewhere else, or is it just really missing from here?

________________________________
From: Scott Finlay
Sent: Monday, May 15, 2017 11:14:26 AM
To: Alex Berg
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Can't set password when registering a user


Hmm, that request body doesn't look very different from my example. I've tried now removing the additional fields

I had and adding the few you have and I still get exactly the same outcome: when I try impersonating the user in

the Keycloak admin panel he has no password set (but he does when I explicitly call the reset-password endpoint).


Is there some setting/role/permission I'm missing maybe? I'm using version 2.5.5.Final.

________________________________
From: Alex Berg <chexxor at gmail.com<mailto:chexxor at gmail.com>>
Sent: Friday, May 12, 2017 6:09:59 PM
To: Scott Finlay
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Can't set password when registering a user

I do something like that, and it works for me.

The content of my XHR is JSON of this:

              { credentials : [
                { type: "password"
                , temporary: false
                , value: regBody.password
                }
              ]
              , email: regBody.email
              , username: regBody.email
              , emailVerified: false
              , enabled: true
              , requiredActions: [ "VERIFY_EMAIL" ]
              }

The created user's ID is available on the "location" response header.

On Fri, May 12, 2017 at 2:27 AM, Scott Finlay <scott.finlay at sixt.com<mailto:scott.finlay at sixt.com><mailto:scott.finlay at sixt.com<mailto:scott.finlay at sixt.com>>> wrote:
Hi,

According to the Keycloak admin API documentation:
http://www.keycloak.org/docs-api/2.5/rest-api/index.html#_create_a_new_user
-> http://www.keycloak.org/docs-api/2.5/rest-api/index.html#_userrepresentation
-> http://www.keycloak.org/docs-api/2.5/rest-api/index.html#_credentialrepresentation

We should be able to provide credentials when creating a new user, but when I provide credentials it doesn't seem to set the password for the new user. Here is what my request looks like:

POST /auth/admin/realms/myrealm/users/
{"enabled":true,"username":"blah at blop.com<mailto:blah at blop.com><mailto:blah at blop.com<mailto:blah at blop.com>>","email":"blah at blop.com<mailto:blah at blop.com><mailto:blah at blop.com<mailto:blah at blop.com>>","firstName":"Blah","lastName":"Blop","attributes":{"userId":["1234"]},"credentials":[{"type":"password","temporary":false,"value":"secr$tP4ssword"}]}

Just as an experiment, I tried passing a single "credential" instead of an array of credentials and I got this error back:

internal server error;KeyCloak HTTP Error Response [400]: com.fasterxml.jackson.databind.JsonMappingException: Can not deserialize instance of java.util.ArrayList out of START_OBJECT token at [Source: io.undertow.servlet.spec.ServletInputStreamImpl at 264472bc; line: 1, column: 156] (through reference chain: org.keycloak.representations.idm.UserRepresentation["credentials"])

So clearly Keycloak is actually parsing this field. Am I doing something wrong with this request or is the documentation wrong?

Right now what we've been doing to get around this is registering the user and then doing a reset password request after, but this makes the request to our service take twice as long. It would be great if we could reduce this to a single request.

Regards,
Scott

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
https://lists.jboss.org/mailman/listinfo/keycloak-user

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list