[keycloak-user] get users from postman

Luca Stancapiano luca.stancapiano at vige.it
Thu Dec 6 08:10:58 EST 2018 

I'm trying to call via REST through POSTMAN the list of users through the get path: http://localhost:8180/auth/admin/realms/school-domain/users

Here my keycloak configuration where I create 2 users, 4 roles, a 'school' client and a 'school-domain' realm:

{
	"realm": "school-domain",
	"enabled": true,
	"accessTokenLifespan": 60,
	"accessCodeLifespan": 60,
	"accessCodeLifespanUserAction": 300,
	"ssoSessionIdleTimeout": 600,
	"ssoSessionMaxLifespan": 36000,
	"sslRequired": "external",
	"registrationAllowed": true,
	"resetPasswordAllowed": true,
	"editUsernameAllowed": true,
	"loginWithEmailAllowed": false,
	"duplicateEmailsAllowed": true,
	"privateKey": "MIICXAIBAAKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQABAoGAfmO8gVhyBxdqlxmIuglbz8bcjQbhXJLR2EoS8ngTXmN1bo2L90M0mUKSdc7qF10LgETBzqL8jYlQIbt+e6TH8fcEpKCjUlyq0Mf/vVbfZSNaVycY13nTzo27iPyWQHK5NLuJzn1xvxxrUeXI6A2WFpGEBLbHjwpx5WQG9A+2scECQQDvdn9NE75HPTVPxBqsEd2z10TKkl9CZxu10Qby3iQQmWLEJ9LNmy3acvKrE3gMiYNWb6xHPKiIqOR1as7L24aTAkEAtyvQOlCvr5kAjVqrEKXalj0Tzewjweuxc0pskvArTI2Oo070h65GpoIKLc9jf+UA69cRtquwP93aZKtW06U8dQJAF2Y44ks/mK5+eyDqik3koCI08qaC8HYq2wVl7G2QkJ6sbAaILtcvD92ToOvyGyeE0flvmDZxMYlvaZnaQ0lcSQJBAKZU6umJi3/xeEbkJqMfeLclD27XGEFoPeNrmdx0q10Azp4NfJAY+Z8KRyQCR2BEG+oNitBOZ+YXF9KCpH3cdmECQHEigJhYg+ykOvr1aiZUMFT72HU0jnmQe2FVekuG+LJUt2Tm7GtMjTFoGpf0JwrVuZN39fOYAlo+nTixgeW7X8Y=",
	"publicKey": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB",
	"requiredCredentials": [
		"password"
	],
	"users": [
		{
			"username": "root",
			"enabled": true,
			"email": "lsflashboss62 at gmail.com",
			"credentials": [
				{
					"type": "password",
					"value": "gtn"
				}
			],
			"realmRoles": [
				"admin"
			],
			"clientRoles": {
				"account": [
					"manage-account"
				]
			}
		},
		{
			"username": "HUHUJJJKJJKN",
			"enabled": true,
			"email": "luca.stancapiano at vige.it",
			"firstName": "Luca",
			"lastName": "Stancapiano",
			"credentials": [
				{
					"type": "password",
					"value": "gtn"
				}
			],
			"realmRoles": [
				"pupil"
			],
			"clientRoles": {
				"account": [
					"manage-account"
				]
			}
		}
	],
	"clients": [
		{
			"clientId": "school",
			"rootUrl": "http://localhost:8080/school",
			"enabled": true,
			"redirectUris": [
				"http://localhost:8080/school/*"
			],
			"webOrigins": [
				"http://localhost:8080"
			],
			"publicClient": false,
			"secret": "bce5816d-98c4-404f-a18d-bcc5cb005c79",
			"serviceAccountsEnabled": true,
			"authorizationServicesEnabled": true,
			"authorizationSettings": {
				"allowRemoteResourceManagement": true,
				"policyEnforcementMode": "ENFORCING",
				"resources": [
					{
						"name": "Default Resource",
						"type": "urn:school:resources:default",
						"ownerManagedAccess": false,
						"attributes": {
							
						},
						"_id": "c338b2be-da73-471c-9bb0-77ad52e1f88f",
						"uris": [
							"/*"
						]
					}
				],
				"policies": [
					{
						"id": "edb01393-180e-4d95-afd3-92b3ac5a6d41",
						"name": "Default Policy",
						"description": "A policy that grants access only for users within this realm",
						"type": "js",
						"logic": "POSITIVE",
						"decisionStrategy": "AFFIRMATIVE",
						"config": {
							"code": "// by default, grants any permission associated with this policy\n$evaluation.grant();\n"
						}
					},
					{
						"id": "1f5dce97-54e3-4dcf-92bd-a2a59120286f",
						"name": "Default Permission",
						"description": "A permission that applies to the default resource type",
						"type": "resource",
						"logic": "POSITIVE",
						"decisionStrategy": "UNANIMOUS",
						"config": {
							"defaultResourceType": "urn:school:resources:default",
							"applyPolicies": "[\"Default Policy\"]"
						}
					}
				],
				"scopes": []
			}
		}
	],
	"roles": {
		"realm": [
			{
				"name": "admin",
				"description": "Administrator privileges"
			},
			{
				"name": "schooloperator",
				"description": "School Operator privileges"
			},
			{
				"name": "teacher",
				"description": "Teacher privileges"
			},
			{
				"name": "pupil",
				"description": "Pupil privileges"
			}
		]
	}
}

Keycloak starts on the 8180 port. I configured POSTMAN with OAuth 2.0. Here the Oauth configuration used to receive the token:

Token Name: Token Name
Grant Type: Authorization Code
Callback URL: http://localhost:8080/school
Auth URL: http://localhost:8180/auth/realms/school-domain/protocol/openid-connect/auth
Access Token URL: http://localhost:8180/auth/realms/school-domain/protocol/openid-connect/token
Client ID: school
Client Secret: bce5816d-98c4-404f-a18d-bcc5cb005c79
Client Authentication: Send as Basic Auth header

The Callback URL is an active simple web app starting on the 8080 port. The token creation is ok but when I call the server with the created token I get a 401 Unauthorized error. What I miss?

More information about the keycloak-user mailing list