[keycloak-user] Create realm from java admin client with access token vs username+password

Fri Mar 9 14:11:51 EST 2018

The username, password in your example is the admin credential. How can I
use the service account to instantiate an AdminClient ?

Thai

On Fri, Mar 9, 2018 at 2:02 PM, Marko Strukelj <mstrukel at redhat.com> wrote:

> You're not using AdminClient API but AuthorizationClient API which is a
> different API.
>
> Using AdminClient API is as simple as:
>
> Keycloak keycloak = Keycloak.getInstance(
>         keycloakBaseUrl,
>         "master",
>         username,
>         password,
>         "admin-cli");
>
>
>
>
> On Fri, Mar 9, 2018 at 6:07 PM, Nhut Thai Le <ntle at castortech.com> wrote:
>
>> Thank you for your suggestion and the link. Since i am making a stand
>> alone java app to create realms dynamically, i'm using the Keycloak
>> admin-client and authz-client in my code. As suggested in the document, i
>> set Access Type to Confidential, turned on Service Account Enabled and
>> assign create-realm role to service account for admin-cli client in the
>> master realm.
>> My code is pretty straight forward:
>> String realmName = "Realm5";
>>
>>     Map<String, Object> adminCliSecret = new HashMap<String, Object>();
>>     adminCliSecret.put("secret", "3b7122d9-1fe0-4417-9407-33818153c7fa");
>>     Configuration adminClientConfig = new Configuration();
>>     adminClientConfig.setAuthServerUrl("http://localhost:8180/auth");
>>     adminClientConfig.setRealm("master");
>>     adminClientConfig.setResource("admin-cli");
>>     adminClientConfig.setCredentials(adminCliSecret);
>>
>>     AuthzClient authzClient = AuthzClient.create(adminClientConfig);
>>     String serviceAccountAccessToken = authzClient.obtainAccessToken("admin-cli",
>> "3b7122d9-1fe0-4417-9407-33818153c7fa").getToken(); //GET 401 HERE
>>     createNewRealm(realmName, serviceAccountAccessToken);
>>
>> I got 401 when trying to get the access token, seem like the AuthzClient
>> uses grant_type=password instead of client_credential. However, there is no
>> method to set grant_type for the AuthzClient.
>>
>> Is the AuthzClient not supposed to be used to get access token for Service
>> Account ? If it's not then is there other client i can use or i have to
>> issue http request manually ?
>>
>> Thai
>>
>> On Fri, Mar 9, 2018 at 4:12 AM, Marko Strukelj <mstrukel at redhat.com>
>> wrote:
>>
>>> Sometimes you already have an access token - your java client may have a
>>> custom login mechanism for example that delegates username and password
>>> input in order to retrieve it interactively from user. In that case client
>>> doesn't even have to know about username and password - it only receives
>>> fresh access and refresh tokens for example. A concrete example is
>>> Registration Client CLI which stores the tokens in a private file so it
>>> doesn't need to ask client for username and password all the time, and can
>>> just use a still valid access token / refresh token.
>>>
>>> For your case you'll want to create a custom client configuration,
>>> protect it with clientId and client secret (or signed jwt), and enable the
>>> service account for that client.
>>>
>>> See: http://www.keycloak.org/docs/latest/server_admin/index.html#
>>> _service_accounts
>>>
>>>
>>>
>>> On Wed, Mar 7, 2018 at 8:31 PM, Nhut Thai Le <ntle at castortech.com>
>>> wrote:
>>>
>>>> Hello,
>>>>
>>>> In the admin client i see there is an overload method to create Keycloak
>>>> instance using a token, (Keycloak.getInstance(serverUrl, realm,
>>>> clientId,
>>>> authToken)), is this considered more secure than using the
>>>> username+password since if i'm using the access token in the method
>>>> above,
>>>> i still need to make another call earlier with the username + password
>>>> to
>>>> get the token, either way, the username +password will be in my code
>>>> repo.
>>>>
>>>> I think i can create an account in the master realm with role
>>>> create-realm,
>>>> can I use that as a service account or there is an existing service
>>>> account
>>>> somewhere in the master realm?
>>>>
>>>> I'm trying to integrate keycloak to my multitenancy application where
>>>> each
>>>> client has his own realm to config his security. My application need to
>>>> create the realm when the client register to my app.
>>>>
>>>> Thai
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>>
>>
>

-- 
Castor Technologies Inc
460 rue St-Catherine St Ouest, Suite 613
Montréal, Québec H3B-1A7
(514) 360-7208 o
(514) 798-2044 f
ntle at castortech.com
www.castortech.com

CONFIDENTIALITY NOTICE: The information contained in this e-mail is
confidential and may be proprietary information intended only for the use
of the individual or entity to whom it is addressed. If the reader of this
message is not the intended recipient, you are hereby notified that any
viewing, dissemination, distribution, disclosure, copy or use of the
information contained in this e-mail message is strictly prohibited. If you
have received and/or are viewing this e-mail in error, please immediately
notify the sender by reply e-mail, and delete it from your system without
reading, forwarding, copying or saving in any manner. Thank you.
AVIS DE CONFIDENTIALITE: L’information contenue dans ce message est
confidentiel, peut être protégé par le secret professionnel et est réservé
à l'usage exclusif du destinataire. Toute autre personne est par les
présentes avisée qu'il lui est strictement interdit de diffuser, distribuer
ou reproduire ce message. Si vous avez reçu cette communication par erreur,
veuillez la détruire immédiatement et en aviser l'expéditeur. Merci.