[keycloak-user] Create realm from java admin client with access token vs username+password
Nhut Thai Le
ntle at castortech.com
Fri Mar 9 12:07:47 EST 2018
Thank you for your suggestion and the link. Since i am making a stand alone
java app to create realms dynamically, i'm using the Keycloak admin-client
and authz-client in my code. As suggested in the document, i set Access
Type to Confidential, turned on Service Account Enabled and assign
create-realm role to service account for admin-cli client in the master
realm.
My code is pretty straight forward:
String realmName = "Realm5";
Map<String, Object> adminCliSecret = new HashMap<String, Object>();
adminCliSecret.put("secret", "3b7122d9-1fe0-4417-9407-33818153c7fa");
Configuration adminClientConfig = new Configuration();
adminClientConfig.setAuthServerUrl("http://localhost:8180/auth");
adminClientConfig.setRealm("master");
adminClientConfig.setResource("admin-cli");
adminClientConfig.setCredentials(adminCliSecret);
AuthzClient authzClient = AuthzClient.create(adminClientConfig);
String serviceAccountAccessToken =
authzClient.obtainAccessToken("admin-cli",
"3b7122d9-1fe0-4417-9407-33818153c7fa").getToken(); //GET 401 HERE
createNewRealm(realmName, serviceAccountAccessToken);
I got 401 when trying to get the access token, seem like the AuthzClient
uses grant_type=password instead of client_credential. However, there is no
method to set grant_type for the AuthzClient.
Is the AuthzClient not supposed to be used to get access token for Service
Account ? If it's not then is there other client i can use or i have to
issue http request manually ?
Thai
On Fri, Mar 9, 2018 at 4:12 AM, Marko Strukelj <mstrukel at redhat.com> wrote:
> Sometimes you already have an access token - your java client may have a
> custom login mechanism for example that delegates username and password
> input in order to retrieve it interactively from user. In that case client
> doesn't even have to know about username and password - it only receives
> fresh access and refresh tokens for example. A concrete example is
> Registration Client CLI which stores the tokens in a private file so it
> doesn't need to ask client for username and password all the time, and can
> just use a still valid access token / refresh token.
>
> For your case you'll want to create a custom client configuration, protect
> it with clientId and client secret (or signed jwt), and enable the service
> account for that client.
>
> See: http://www.keycloak.org/docs/latest/server_admin/index.html#
> _service_accounts
>
>
>
> On Wed, Mar 7, 2018 at 8:31 PM, Nhut Thai Le <ntle at castortech.com> wrote:
>
>> Hello,
>>
>> In the admin client i see there is an overload method to create Keycloak
>> instance using a token, (Keycloak.getInstance(serverUrl, realm, clientId,
>> authToken)), is this considered more secure than using the
>> username+password since if i'm using the access token in the method above,
>> i still need to make another call earlier with the username + password to
>> get the token, either way, the username +password will be in my code repo.
>>
>> I think i can create an account in the master realm with role
>> create-realm,
>> can I use that as a service account or there is an existing service
>> account
>> somewhere in the master realm?
>>
>> I'm trying to integrate keycloak to my multitenancy application where each
>> client has his own realm to config his security. My application need to
>> create the realm when the client register to my app.
>>
>> Thai
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
More information about the keycloak-user
mailing list