[keycloak-user] Admin API permission enpoints for token exchange
Stefan Guilhen
sguilhen at redhat.com
Wed Sep 4 18:45:09 EDT 2019
Hi James,
yes, those are part of the authorization services and can be found in the
Keycloak Admin REST API docs. Look for ResourceRepresentation,
ResourceServerRepresentation, PolicyRepresentation, for example.
On Wed, Sep 4, 2019 at 7:07 PM James Mitchell <jamesm at suitebox.com> wrote:
> Clicking through the UI I can see that all the things I need appear under
> the system client "realm-management".
> So I need to create the following items for that client's Authorization
> * Scope - simple "token-exchange"
> * Policy - link to the client that I am using for the token exchange
> * Resources - a resource for each identity provider, type "Identity
> Provider" and scope "token-exchange"
> * Permission - one for each resource (idp) linking the resource, the scope,
> and the policy
>
> So now I need to find the Admin API for client Authorization Scopes,
> Policy, Resources, and Permissions
>
>
> Are these endpoint in the Keycloak Admin REST API documentation?
>
>
> Thanks,
>
> James
>
> ----
>
> *James Mitchell*
>
> Developer
>
> e: jamesm at suitebox.com
>
> w: www.suitebox.com
>
>
> *SuiteBox |* Level 4, 8 Mahuhu Crescent, Auckland 1010, NZ
>
>
> On Wed, 4 Sep 2019 at 16:25, James Mitchell <jamesm at suitebox.com> wrote:
>
> > Can I get a pointer to any admin api endpoints to enable permissions for
> > an identity provider to perform token exchange, and an endpoint to create
> > the client policy for the permission?
> >
> > Firstly, I know this would all do away if I create identity providers and
> > redirect to Keycloak to handle the whole oauth process... but then I
> think
> > that would break all the existing redirect urls I have provided to the
> > external oauth services, so I'm reluctant to do that. I'd prefer a behind
> > the scenes migration.
> >
> > So, my use case is that I have existing site with server code that
> > authenticates users with external services then grants access to the
> site.
> > I have migrated all the internal users to a Keycloak auth, and now I'm
> > looking at how to exchange the tokens from the external service for valid
> > Keycloak tokens.
> >
> > Following the steps from the documents, I can automate the following
> steps
> > * create an identity provider fro the external service, and fill in all
> > the endpoint and client ids
> > * lookup the existing user (they are guaranteed to exist) and link them
> to
> > the new IDP
> > * < this is the missing step for automations >
> > * perform the token exchange, which now works OK with my Google test user
> >
> > My problem is that I need to enable the permissions, and create the
> policy
> > to allow the IDP to do token exchange; and I have not found which API
> > endpoints will do that.
> >
> > Can someone point me at the right documents, or a keyword to search form
> > in the Admin REST API document?
> >
> > Thanks,
> > James
> >
> >
> > ----
> >
> > *James Mitchell*
> >
> > Developer
> >
> > e: jamesm at suitebox.com
> >
> > w: www.suitebox.com
> >
> >
> > *SuiteBox |* Level 4, 8 Mahuhu Crescent, Auckland 1010, NZ
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Stefan Guilhen
Principal Software Engineer
Red Hat <https://www.redhat.com/>
sguilhen at redhat.com IM: sguilhen
@RedHat <https://twitter.com/redhat> Red Hat
<https://www.linkedin.com/company/red-hat> Red Hat
<https://www.facebook.com/RedHatInc>
<https://www.redhat.com/>
More information about the keycloak-user
mailing list