[keycloak-user] Admin API permission enpoints for token exchange

James Mitchell jamesm at suitebox.com
Wed Sep 4 18:05:27 EDT 2019 

Clicking through the UI I can see that all the things I need appear under
the system client "realm-management".
So I need to create the following items for that client's Authorization
* Scope - simple "token-exchange"
* Policy - link to the client that I am using for the token exchange
* Resources - a resource for each identity provider, type "Identity
Provider" and scope "token-exchange"
* Permission - one for each resource (idp) linking the resource, the scope,
and the policy

So now I need to find the Admin API for client Authorization Scopes,
Policy, Resources, and Permissions


Are these endpoint in the Keycloak Admin REST API documentation?


Thanks,

James

----

*James Mitchell*

Developer

e: jamesm at suitebox.com

w: www.suitebox.com


*SuiteBox |* Level 4, 8 Mahuhu Crescent, Auckland 1010, NZ


On Wed, 4 Sep 2019 at 16:25, James Mitchell <jamesm at suitebox.com> wrote:

> Can I get a pointer to any admin api endpoints to enable permissions for
> an identity provider to perform token exchange, and an endpoint to create
> the client policy for the permission?
>
> Firstly, I know this would all do away if I create identity providers and
> redirect to Keycloak to handle the whole oauth process... but then I think
> that would break all the existing redirect urls I have provided to the
> external oauth services, so I'm reluctant to do that. I'd prefer a behind
> the scenes migration.
>
> So, my use case is that I have existing site with server code that
> authenticates users with external services then grants access to the site.
> I have migrated all the internal users to a Keycloak auth, and now I'm
> looking at how to exchange the tokens from the external service for valid
> Keycloak tokens.
>
> Following the steps from the documents, I can automate the following steps
> * create an identity provider fro the external service, and fill in all
> the endpoint and client ids
> * lookup the existing user (they are guaranteed to exist) and link them to
> the new IDP
> * < this is the missing step for automations >
> * perform the token exchange, which now works OK with my Google test user
>
> My problem is that I need to enable the permissions, and create the policy
> to allow the IDP to do token exchange; and I have not found which API
> endpoints will do that.
>
> Can someone point me at the right documents, or a keyword to search form
> in the Admin REST API document?
>
> Thanks,
> James
>
>
> ----
>
> *James Mitchell*
>
> Developer
>
> e: jamesm at suitebox.com
>
> w: www.suitebox.com
>
>
> *SuiteBox |* Level 4, 8 Mahuhu Crescent, Auckland 1010, NZ
>

More information about the keycloak-user mailing list