[keycloak-user] Fwd: Trying to create a user in a realm I get 405 response

Jorge Morales Pou jmorales at redhat.com
Thu Jul 5 13:52:36 EDT 2018 

Hi,
I'm deploying Che on OpenShift and I was trying to pre-create some users in
Keycloak.
This Che and Keycloak are deployed using Ansible, and so far so good. I'm
using the templates from github.com/eclipse/che.

This deployment comes preconfigured with a che realm as well as the ability
to change the master realm admin's username and password, which I do, for
security reasons, but the che realm don't allow me to change the
username/password for the admin, so those default to admin/admin (as of
now).

The problem comes when I try to create a user via rest.

I have the following 2 ansible tasks (they are easily understood):

- name: get auth token from keycloak
uri:
url: http://keycloak-{{ project_name }}.{{ apps_hostname_suffix
}}/auth/realms/che/protocol/openid-connect/token
method: POST
body: "username=admin&password=admin&grant_type=password&client_id=admin-cli
"
status_code: 200
headers:
Content-Type: "application/x-www-form-urlencoded"
status_code: 200
register: access_token_result

- set_fact:
access_token_bearer: "{{ access_token_result.json |
json_query('access_token') }}"

- name: Pre-create {{ che_generate_user_count }} users in che realm with
format ({{ che_generate_user_format }})
uri:
url: http://che-{{ project_name }}.{{ apps_hostname_suffix
}}/admin/realms/che/users
method: POST
body: "{{ lookup('template','che-user.json.j2') }}"
body_format: json
status_code: 204
headers:
Authorization: "Bearer {{ access_token_bearer }}"
vars:
username: "{{ item }}"
first_name: "User"
last_name: "{{ item }}"
email: "{{ item }}@none.com"
password: "{{ che_generate_user_password }}"
with_sequence: start={{ che_generate_user_count|int if
che_generate_user_count|int < 1 else 1}} end={{ che_generate_user_count }}
format={{ che_generate_user_format }}
when: che_generate_user_count|int > 0

And the che-user.json that I use for the request is this:
{
"username": "{{ username }}",
"enabled": "true",
"firstName": "{{ first_name }}",
"lastName": "{{ last_name }}",
"email": "{{ email }}",
"credentials": [
{
"type": "password",
"value": "{{ password }}"
}
]
}


Everything looks perfectly configured on my end, and I've tried using curl
as seen in many documentation to troubleshoot but with same error.

I get a 405, POST method not allowed.

This is the verbose stack of the request, which has all the valuable info
(host-name is changed):

------------------------------------------------
failed: [localhost] (item=user1) => {
    "changed": false,
    "connection": "close",
    "content": "<!doctype html><html lang=\"en\"><head><title>HTTP Status
405 – Method Not Allowed</title><style type=\"text/css\">h1
{font-family:Tahoma,Arial,sans-serif;color:white;
background-color:#525D76;font-size:22px;} h2 {font-family:Tahoma,Arial,
sans-serif;color:white;background-color:#525D76;font-size:16px;} h3
{font-family:Tahoma,Arial,sans-serif;color:white;
background-color:#525D76;font-size:14px;} body {font-family:Tahoma,Arial,
sans-serif;color:black;background-color:white;} b {font-family:Tahoma,Arial,
sans-serif;color:white;background-color:#525D76;} p
{font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}
a {color:black;} a.name {color:black;} .line {height:1px;background-color:#
525D76;border:none;}</style></head><body><h1>HTTP Status 405 – Method Not
Allowed</h1><hr class=\"line\" /><p><b>Type</b> Status
Report</p><p><b>Message</b> HTTP method POST is not supported by this
URL</p><p><b>Description</b> The method received in the request-line is
known by the origin server but not supported by the target resource.</p><hr
class=\"line\" /><h3>Apache Tomcat/8.5.23</h3></body></html>",
    "content_language": "en",
    "content_length": "1117",
    "content_type": "text/html;charset=utf-8",
    "date": "Thu, 05 Jul 2018 17:12:32 GMT",
    "invocation": {
        "module_args": {
            "attributes": null,
            "backup": null,
            "body": {
                "credentials": [
                    {
                        "type": "password",
                        "value": "password"
                    }
                ],
                "email": "user1 at none.com",
                "enabled": "true",
                "firstName": "User",
                "lastName": "user1",
                "username": "user1"
            },
            "body_format": "json",
            "client_cert": null,
            "client_key": null,
            "content": null,
            "creates": null,
            "delimiter": null,
            "dest": null,
            "directory_mode": null,
            "follow": false,
            "follow_redirects": "safe",
            "force": false,
            "force_basic_auth": false,
            "group": null,
            "headers": {
                "Authorization": "Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOi
AiSldUIiwia2lkIiA6ICJlMjNGc3kzRlI5dnRUZms3TGlkX1lQOGU0cDNoY0
psM20wQTRnckIzNnJJIn0.eyJqdGkiOiIzYjkyZTUxZi1iZTc0LT
QwODItYmFjZS01YjAwNTA0MWE2YmIiLCJleHAiOjE1MzA4MTEwNTEsIm5iZi
I6MCwiaWF0IjoxNTMwODEwNzUxLCJpc3MiOiJodHRwOi8va2V5Y2xvYWstc3
RhcnRlci13b3Jrc2hvcC1hcGItdGVzdC5hcHBzLm9zZXZnLm9wZW5zaGlmdH
dvcmtzaG9wLmNvbS9hdXRoL3JlYWxtcy9jaGUiLCJhdWQiOiJhZG1pbi1jbG
kiLCJzdWIiOiJiMDdlM2E1OC1lZDUwLTRhNmUtYmUxNy1mY2Y0OWZmOGIyND
IiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJhZG1pbi1jbGkiLCJhdXRoX3RpbW
UiOjAsInNlc3Npb25fc3RhdGUiOiI1MGRhMGJiNy0zOTc3LTQzMjQtOWY2OS
03NjkzNmEwZGIzMmMiLCJhY3IiOiIxIiwiYWxsb3dlZC1vcmlnaW5zIjpbXS
wicmVzb3VyY2VfYWNjZXNzIjp7fSwibmFtZSI6IkFkbWluIEFkbWluIiwicH
JlZmVycmVkX3VzZXJuYW1lIjoiYWRtaW4iLCJnaXZlbl9uYW1lIjoiQWRtaW
4iLCJmYW1pbHlfbmFtZSI6IkFkbWluIiwiZW1haWwiOiJhZG1pbkBhZG1pbi5jb20ifQ.DTjDZ_
Kx9QMDcLqMRtGir5PwzOhXEBc3-jg3vZgToooKfvC1b1Kw1DSHCM1hJuwriw-
dBp2dQMAk2CjwwFNNb2lKFVxCGvmk4KQLRG3giv_BHQcoeFZ-Ol7sQJvFL-
V-XyAV6KWO9a0WPai6C6hkHw37Ksp_klzk89jAoSSxrtOJ8zUOjzxT_
XS99cwj6NYNJnyTczppAMB14Nm8-a9gexDnUqUmOlifFCyH7i2Fyrk2pnT
GFEFjB92QCUWJEXpFOKdx9-IGi7y8ywRH7a9R-dcuOb1_Mx6Xbi79qjfow6EKJYDAjNupKOUfOO
qNFscgwR6kUdbsEfRr3JCmmTL8cw",
                "Content-Type": "application/json"
            },
            "http_agent": "ansible-httpget",
            "method": "POST",
            "mode": null,
            "owner": null,
            "regexp": null,
            "remote_src": null,
            "removes": null,
            "return_content": false,
            "selevel": null,
            "serole": null,
            "setype": null,
            "seuser": null,
            "src": null,
            "status_code": [
                "204"
            ],
            "timeout": 30,
            "unsafe_writes": null,
            "url": "http://che-starter-workshop-apb-test.apps.mydomain.com/
auth/realms/che/users",
            "url_password": null,
            "url_username": null,
            "use_proxy": true,
            "validate_certs": true
        }
    },
    "item": "user1",
    "msg": "Status code was 405 and not [204]: HTTP Error 405: ",
    "redirected": false,
    "set_cookie": "688655d95dc9dee6e6f6057ef3239223=
5aac40b93e1fbe870f8d213baa7a4c7a; path=/; HttpOnly",
    "status": 405,
    "url": "http://che-starter-workshop-apb-test.apps.osevg.
openshiftworkshop.com/auth/realms/che/users"
}
------------------------------------------------


Anyone can provide some insight into what I'm doing wrong? Is it the
request or is it the che realm configuration
<https://github.com/eclipse/che/blob/master/dockerfiles/init/modules/keycloak/templates/che-realm.json.erb>
or the client in the realm
<https://github.com/eclipse/che/blob/master/dockerfiles/init/modules/keycloak/templates/che-users-0.json.erb>
used to get the token?

Cheers,

*Jorge Morales*
Red Hat <https://www.openshift.com/>
<https://www.openshift.com/>
OpenShift <https://www.openshift.com> Developer Advocate
​
http://jorgemoral.es/

| @jorgemoralespou <https://twitter.com/jorgemoralespou>

More information about the keycloak-user mailing list