[keycloak-user] Admin API permission enpoints for token exchange
James Mitchell
jamesm at suitebox.com
Wed Sep 4 18:28:50 EDT 2019
... and using the browser dev tools to look at network calls I can see the
endpoints being used are
/auth/admin/realms/{{realm}}/clients/{{client_id}}/authz/resource-server
----
*James Mitchell*
Developer
e: jamesm at suitebox.com
w: www.suitebox.com
*SuiteBox |* Level 4, 8 Mahuhu Crescent, Auckland 1010, NZ
On Thu, 5 Sep 2019 at 10:05, James Mitchell <jamesm at suitebox.com> wrote:
> Clicking through the UI I can see that all the things I need appear under
> the system client "realm-management".
> So I need to create the following items for that client's Authorization
> * Scope - simple "token-exchange"
> * Policy - link to the client that I am using for the token exchange
> * Resources - a resource for each identity provider, type "Identity
> Provider" and scope "token-exchange"
> * Permission - one for each resource (idp) linking the resource, the
> scope, and the policy
>
> So now I need to find the Admin API for client Authorization Scopes,
> Policy, Resources, and Permissions
>
>
> Are these endpoint in the Keycloak Admin REST API documentation?
>
>
> Thanks,
>
> James
>
> ----
>
> *James Mitchell*
>
> Developer
>
> e: jamesm at suitebox.com
>
> w: www.suitebox.com
>
>
> *SuiteBox |* Level 4, 8 Mahuhu Crescent, Auckland 1010, NZ
>
>
> On Wed, 4 Sep 2019 at 16:25, James Mitchell <jamesm at suitebox.com> wrote:
>
>> Can I get a pointer to any admin api endpoints to enable permissions for
>> an identity provider to perform token exchange, and an endpoint to create
>> the client policy for the permission?
>>
>> Firstly, I know this would all do away if I create identity providers and
>> redirect to Keycloak to handle the whole oauth process... but then I think
>> that would break all the existing redirect urls I have provided to the
>> external oauth services, so I'm reluctant to do that. I'd prefer a behind
>> the scenes migration.
>>
>> So, my use case is that I have existing site with server code that
>> authenticates users with external services then grants access to the site.
>> I have migrated all the internal users to a Keycloak auth, and now I'm
>> looking at how to exchange the tokens from the external service for valid
>> Keycloak tokens.
>>
>> Following the steps from the documents, I can automate the following steps
>> * create an identity provider fro the external service, and fill in all
>> the endpoint and client ids
>> * lookup the existing user (they are guaranteed to exist) and link them
>> to the new IDP
>> * < this is the missing step for automations >
>> * perform the token exchange, which now works OK with my Google test user
>>
>> My problem is that I need to enable the permissions, and create the
>> policy to allow the IDP to do token exchange; and I have not found which
>> API endpoints will do that.
>>
>> Can someone point me at the right documents, or a keyword to search form
>> in the Admin REST API document?
>>
>> Thanks,
>> James
>>
>>
>> ----
>>
>> *James Mitchell*
>>
>> Developer
>>
>> e: jamesm at suitebox.com
>>
>> w: www.suitebox.com
>>
>>
>> *SuiteBox |* Level 4, 8 Mahuhu Crescent, Auckland 1010, NZ
>>
>
More information about the keycloak-user
mailing list