[keycloak-user] Create initial access token from command line

Dmitry Telegin dt at acutus.pro
Fri Jan 18 00:10:22 EST 2019


Hello Puneeth,

The process it two-step, first you need to obtain an admin token (via token endpoint), then use it against clients-initial-access endpoint to create a token.

kcadm.sh can do that for you, but unfortunately it doesn't output the result, even with the --output option (bug?)

[user at localhost keycloak]$ bin/kcadm.sh create clients-initial-access -s count=1 -s expiration=60
Created new clients-initial-acces with id '0dfebcdd-35a9-4157-95e6-6d9eb5e887d8'

Luckily, you can still do it with curl:

KEYCLOAK_URL=http://localhost:8080/auth
KEYCLOAK_REALM=master
KEYCLOAK_CLIENT=admin-cli
KEYCLOAK_USER=admin
KEYCLOAK_PASSWORD=admin

ACCESS_TOKEN=$(curl -s $KEYCLOAK_URL/realms/$KEYCLOAK_REALM/protocol/openid-connect/token \
    -d client_id=$KEYCLOAK_CLIENT \
    -d grant_type=password \
    -d username=$KEYCLOAK_USER \
    -d password=$KEYCLOAK_PASSWORD\
    | jq -r '.access_token')

curl -s -H "Authorization: Bearer $ACCESS_TOKEN" $KEYCLOAK_URL/admin/realms/$KEYCLOAK_REALM/clients-initial-access \
    -H "Content-Type: application/json" \
    -d '{ "count": 1, "expiration": 60 }' \
    | jq -r ".token"

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Wed, 2019-01-16 at 17:13 +0530, Puneeth M I wrote:
> Hi,
> 
> I want to create an initial access token with expiration=60 seconds and
> count=1 from command line using admin-cli through kcadm.sh script or a curl
> command and share with the clients to register(create clients) themselves
> at keycloak. I am using the following curl command as per the keycloak
> document but I am getting 401 unauthorized error. I am create an Initial
> access token from admin console but I don't want to expose it. *Please let
> me know on how to generate InitialAccessToken from CLI to register a
> client. *
> 
> 
> 
> *# curl -i -H 'Content-Type: application/json' -X
> POST http://<keycloak-IP>:<port>/auth/admin/realms/master/clients-initial-access
> <http://10.91.96.30:8665/auth/admin/realms/master/clients-initial-access> -d
> "client_id=admin-cli&grant_type=password&username=admin&password=admin"*
> HTTP/1.1 401 Unauthorized
> Connection: keep-alive
> Content-Length: 0
> Date: Tue, 15 Jan 2019 09:16:07 GMT
> 
> 
> 
> *I am able to register a client using the access token obtained from below
> command but I cannot control it for number of client registrations.*
> 
> # *curl -i -H 'Content-Type: application/x-www-form-urlencoded' -X
> POST http://<keycloak-ip>:<port>/auth/realms/master/protocol/openid-connect/token
> <http://10.91.96.30:8665/auth/realms/master/protocol/openid-connect/token> -d
> "client_id=admin-cli&grant_type=password&username=admin&password=admin"*
> 
>    1. HTTP/1.1 200 OK
>    Connection: keep-alive
>    Cache-Control: no-store
>    Set-Cookie: KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10
>    GMT; Max-Age=0; Path=/auth/realms/master/; HttpOnly
>    Pragma: no-cache
>    Content-Type: application/json
>    Content-Length: 1848
>    Date: Tue, 15 Jan 2019 06:37:47 GMT
> 
> {"access_token":"eyJhbGciOiJSUzI1NiIs....","expires_in":60,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOi.....","token_type":"bearer","not-before-policy":0,"session_state":"7af01cbb-f268-4263-bed2-c11a14008949","scope":"email
> profile"}
> 
> I am using Keycloak - Version *4.5.0* in standalone-HA mode.
> 
> Regards,
> Puneeth
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


More information about the keycloak-user mailing list