<div dir="ltr">I just saw Bill Burke's response. I will try one of your two approaches. Yes, I just need the basic info so what you suggested will work for me. Thanks!</div><div class="gmail_extra"><br><br><div class="gmail_quote">
On Wed, Mar 5, 2014 at 2:29 PM, <span dir="ltr"><<a href="mailto:keycloak-user-request@lists.jboss.org" target="_blank">keycloak-user-request@lists.jboss.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Send keycloak-user mailing list submissions to<br>
<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
or, via email, send a message with subject or body 'help' to<br>
<a href="mailto:keycloak-user-request@lists.jboss.org">keycloak-user-request@lists.jboss.org</a><br>
<br>
You can reach the person managing the list at<br>
<a href="mailto:keycloak-user-owner@lists.jboss.org">keycloak-user-owner@lists.jboss.org</a><br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of keycloak-user digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. Openshift installation (Davide Ungari)<br>
2. How to access realms/{realm}/users/{user} with Application<br>
(Dean Peterson)<br>
3. Re: How to access realms/{realm}/users/{user} with<br>
Application (Bill Burke)<br>
4. Re: How to access realms/{realm}/users/{user} with<br>
Application (Stian Thorgersen)<br>
5. Re: How to access realms/{realm}/users/{user} with<br>
Application (Dean Peterson)<br>
<br>
<br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Sun, 2 Mar 2014 06:20:15 -0500 (EST)<br>
From: Davide Ungari <<a href="mailto:davide@billdrawer.com">davide@billdrawer.com</a>><br>
Subject: [keycloak-user] Openshift installation<br>
To: keycloak user list <<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>><br>
Message-ID:<br>
<<a href="mailto:155451129.27399.1393759215776.open-xchange@app1.ox.registrar-servers.com">155451129.27399.1393759215776.open-xchange@app1.ox.registrar-servers.com</a>><br>
<br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
<br>
At the end I got it!<br>
I followed the instructions of section 4.1 "Create Keycloak instance with the<br>
web tool" instead of the command-line tool.<br>
<br>
Davide Ungari, Founder<br>
<a href="http://www.billdrawer.com" target="_blank">www.billdrawer.com</a> | <a href="mailto:davide@billdrawer.com">davide@billdrawer.com</a><br>
Milan, IT<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <a href="http://lists.jboss.org/pipermail/keycloak-user/attachments/20140302/7bc0c0a7/attachment-0001.html" target="_blank">http://lists.jboss.org/pipermail/keycloak-user/attachments/20140302/7bc0c0a7/attachment-0001.html</a><br>
<br>
------------------------------<br>
<br>
Message: 2<br>
Date: Tue, 4 Mar 2014 13:15:31 -0600<br>
From: Dean Peterson <<a href="mailto:peterson.dean@gmail.com">peterson.dean@gmail.com</a>><br>
Subject: [keycloak-user] How to access realms/{realm}/users/{user}<br>
with Application<br>
To: <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
Message-ID:<br>
<CAFGzvPkrgJtAq=<a href="mailto:6jAJOsa9x8cw4Boo3PEO3nDEPAz8eSUa6AOg@mail.gmail.com">6jAJOsa9x8cw4Boo3PEO3nDEPAz8eSUa6AOg@mail.gmail.com</a>><br>
Content-Type: text/plain; charset="iso-8859-1"<br>
<br>
Hello,<br>
<br>
I am trying to find the best way to access the UsersResource.java Rest<br>
services outside the keycloak admin application to get a user's<br>
information. How do I make a request using just the client's credentials?<br>
<br>
I currently use something like this but I get a 401 because I am using a<br>
user's oauth token and they only have user privileges:<br>
SkeletonKeySession session = (SkeletonKeySession) request<br>
.getAttribute(SkeletonKeySession.class.getName());<br>
ResteasyClient client = new ResteasyClientBuilder()<br>
.trustStore(session.getMetadata().getTruststore())<br>
.hostnameVerification(<br>
<br>
ResteasyClientBuilder.HostnameVerificationPolicy.ANY)<br>
.build();<br>
<br>
String username = request.getRemoteUser();<br>
<br>
Profile profile = null;<br>
<br>
try {<br>
<br>
Response response = client<br>
.target("<br>
<a href="http://server:8080/auth/rest/admin/realms/myrealm/users/" target="_blank">http://server:8080/auth/rest/admin/realms/myrealm/users/</a>")<br>
.path(username)<br>
.request()<br>
.header(HttpHeaders.AUTHORIZATION,<br>
"Bearer " + session.getTokenString()).get();<br>
<br>
<br>
// Get the existing entry if there is one. Otherwise, just<br>
return<br>
// the regular<br>
// entity retrieved from the remote system.<br>
try {<br>
profile = profileRepository<br>
.findByRegistrationId(member.getId());<br>
<br>
} catch (NoResultException e) {<br>
// ignore<br>
}<br>
<br>
} finally {<br>
client.close();<br>
}<br>
<br>
Is there a way for the application to make a request directly as an admin<br>
without giving the user admin privileges?<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <a href="http://lists.jboss.org/pipermail/keycloak-user/attachments/20140304/061695ca/attachment-0001.html" target="_blank">http://lists.jboss.org/pipermail/keycloak-user/attachments/20140304/061695ca/attachment-0001.html</a><br>
<br>
------------------------------<br>
<br>
Message: 3<br>
Date: Tue, 04 Mar 2014 15:46:04 -0500<br>
From: Bill Burke <<a href="mailto:bburke@redhat.com">bburke@redhat.com</a>><br>
Subject: Re: [keycloak-user] How to access realms/{realm}/users/{user}<br>
with Application<br>
To: <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
Message-ID: <<a href="mailto:53163B8C.3060605@redhat.com">53163B8C.3060605@redhat.com</a>><br>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed<br>
<br>
<br>
<br>
On 3/4/2014 2:15 PM, Dean Peterson wrote:<br>
> Hello,<br>
><br>
> I am trying to find the best way to access the UsersResource.java Rest<br>
> services outside the keycloak admin application to get a user's<br>
> information. How do I make a request using just the client's credentials?<br>
><br>
<br>
You just want basic information right? name, email, etc.? Next release<br>
(March 13th) we'll have OpenID Connect support. SkeletonKeysession<br>
(renamed to KeycloakSecurityContext) will have a reference to an IDToken<br>
which can be populated with various user information (claims). Allowed<br>
claims are specified per application/oauth client.<br>
<br>
You can build and use this right now. View the<br>
preconfigured/customer-portal examples to see how its being done right<br>
<br>
If you don't want to build/run from master you can do a POST to<br>
/auth/rest/realms/keycloak-admin/tokens/grants/access<br>
<br>
URL form encoded parameters of:<br>
<br>
username=admin<br>
password=admin-password<br>
<br>
This will return an access token which you can use to invoke on the<br>
admin REST API. *NOTE* we're chaning this particular REST API next<br>
release too :(<br>
<br>
<br>
<br>
<br>
> I currently use something like this but I get a 401 because I am using a<br>
> user's oauth token and they only have user privileges:<br>
> SkeletonKeySession session = (SkeletonKeySession) request<br>
> .getAttribute(SkeletonKeySession.class.getName());<br>
> ResteasyClient client = new ResteasyClientBuilder()<br>
> .trustStore(session.getMetadata().getTruststore())<br>
> .hostnameVerification(<br>
><br>
> ResteasyClientBuilder.HostnameVerificationPolicy.ANY)<br>
> .build();<br>
><br>
> String username = request.getRemoteUser();<br>
><br>
> Profile profile = null;<br>
><br>
> try {<br>
><br>
> Response response = client<br>
><br>
> .target("<a href="http://server:8080/auth/rest/admin/realms/myrealm/users/" target="_blank">http://server:8080/auth/rest/admin/realms/myrealm/users/</a>")<br>
> .path(username)<br>
> .request()<br>
> .header(HttpHeaders.AUTHORIZATION,<br>
> "Bearer " + session.getTokenString()).get();<br>
><br>
> // Get the existing entry if there is one. Otherwise, just<br>
> return<br>
> // the regular<br>
> // entity retrieved from the remote system.<br>
> try {<br>
> profile = profileRepository<br>
> .findByRegistrationId(member.getId());<br>
><br>
> } catch (NoResultException e) {<br>
> // ignore<br>
> }<br>
><br>
> } finally {<br>
> client.close();<br>
> }<br>
><br>
> Is there a way for the application to make a request directly as an<br>
> admin without giving the user admin privileges?<br>
><br>
><br>
> _______________________________________________<br>
> keycloak-user mailing list<br>
> <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
><br>
<br>
--<br>
Bill Burke<br>
JBoss, a division of Red Hat<br>
<a href="http://bill.burkecentral.com" target="_blank">http://bill.burkecentral.com</a><br>
<br>
<br>
------------------------------<br>
<br>
Message: 4<br>
Date: Wed, 5 Mar 2014 04:09:35 -0500 (EST)<br>
From: Stian Thorgersen <<a href="mailto:stian@redhat.com">stian@redhat.com</a>><br>
Subject: Re: [keycloak-user] How to access realms/{realm}/users/{user}<br>
with Application<br>
To: Dean Peterson <<a href="mailto:peterson.dean@gmail.com">peterson.dean@gmail.com</a>><br>
Cc: <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
Message-ID:<br>
<<a href="mailto:1739218212.20951754.1394010575408.JavaMail.zimbra@redhat.com">1739218212.20951754.1394010575408.JavaMail.zimbra@redhat.com</a>><br>
Content-Type: text/plain; charset=utf-8<br>
<br>
There's also a Keycloak specific mechanism for accessing the account of the user associated with the token.<br>
<br>
To do this open the scope mappings for your app/client, and select 'account' in the application roles, select 'view-profile' and click the right-arrow. This will allow your app/client to view the profile of the current user.<br>
<br>
Then you can make a request (with bearer token) to:<br>
<br>
/auth/rest/realms/myrealm/account<br>
<br>
In the future we'll add support to do all account specific things through these REST endpoints to support all operations provided by the account management application.<br>
<br>
----- Original Message -----<br>
> From: "Dean Peterson" <<a href="mailto:peterson.dean@gmail.com">peterson.dean@gmail.com</a>><br>
> To: <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> Sent: Tuesday, 4 March, 2014 7:15:31 PM<br>
> Subject: [keycloak-user] How to access realms/{realm}/users/{user} with Application<br>
><br>
> Hello,<br>
><br>
> I am trying to find the best way to access the UsersResource.java Rest<br>
> services outside the keycloak admin application to get a user's information.<br>
> How do I make a request using just the client's credentials?<br>
><br>
> I currently use something like this but I get a 401 because I am using a<br>
> user's oauth token and they only have user privileges:<br>
> SkeletonKeySession session = (SkeletonKeySession) request<br>
> .getAttribute(SkeletonKeySession.class.getName());<br>
> ResteasyClient client = new ResteasyClientBuilder()<br>
> .trustStore(session.getMetadata().getTruststore())<br>
> .hostnameVerification(<br>
> ResteasyClientBuilder.HostnameVerificationPolicy.ANY)<br>
> .build();<br>
><br>
> String username = request.getRemoteUser();<br>
><br>
> Profile profile = null;<br>
><br>
> try {<br>
><br>
> Response response = client<br>
> .target(" <a href="http://server:8080/auth/rest/admin/realms/myrealm/users/" target="_blank">http://server:8080/auth/rest/admin/realms/myrealm/users/</a> ")<br>
> .path(username)<br>
> .request()<br>
> .header(HttpHeaders.AUTHORIZATION,<br>
> "Bearer " + session.getTokenString()).get();<br>
><br>
> // Get the existing entry if there is one. Otherwise, just return<br>
> // the regular<br>
> // entity retrieved from the remote system.<br>
> try {<br>
> profile = profileRepository<br>
> .findByRegistrationId(member.getId());<br>
><br>
> } catch (NoResultException e) {<br>
> // ignore<br>
> }<br>
><br>
> } finally {<br>
> client.close();<br>
> }<br>
><br>
> Is there a way for the application to make a request directly as an admin<br>
> without giving the user admin privileges?<br>
><br>
> _______________________________________________<br>
> keycloak-user mailing list<br>
> <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
<br>
<br>
------------------------------<br>
<br>
Message: 5<br>
Date: Wed, 5 Mar 2014 14:28:53 -0600<br>
From: Dean Peterson <<a href="mailto:peterson.dean@gmail.com">peterson.dean@gmail.com</a>><br>
Subject: Re: [keycloak-user] How to access realms/{realm}/users/{user}<br>
with Application<br>
To: Stian Thorgersen <<a href="mailto:stian@redhat.com">stian@redhat.com</a>><br>
Cc: <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
Message-ID:<br>
<CAFGzvPkYz5ZVwzJ+WmDoirWn=<a href="mailto:W3fW3kGV7GRvQxCCpeVC2ULAw@mail.gmail.com">W3fW3kGV7GRvQxCCpeVC2ULAw@mail.gmail.com</a>><br>
Content-Type: text/plain; charset="iso-8859-1"<br>
<br>
Thank you. I tried what you said. I am able access that REST service on<br>
the Keycloak server but it returns an AccountService object. Actually, I<br>
get a 406 error response on my end. I think it is because I did not have<br>
the keycloak-services dependency in my application's pom. However, when I<br>
add it and I try to start the server, I get the error: Could not find<br>
constructor for class: org.keycloak.services.resources.RealmsResource.<br>
Should I make my own local version of AccountService and not add<br>
keycloak-services to my application? What is the best approach? Any ideas<br>
why I might be getting a 406 error?<br>
<br>
SkeletonKeySession session = (SkeletonKeySession) request<br>
.getAttribute(SkeletonKeySession.class.getName());<br>
ResteasyClient client = new ResteasyClientBuilder()<br>
.trustStore(session.getMetadata().getTruststore())<br>
.hostnameVerification(<br>
<br>
ResteasyClientBuilder.HostnameVerificationPolicy.ANY)<br>
.build();<br>
<br>
String username = request.getRemoteUser();<br>
<br>
Profile profile = null;<br>
<br>
try {<br>
<br>
Response response = client<br>
.target("<br>
<a href="http://server:8080/auth/rest/realms/myrealm/account" target="_blank">http://server:8080/auth/rest/realms/myrealm/account</a>")<br>
.request()<br>
.header(HttpHeaders.AUTHORIZATION,<br>
"Bearer " + session.getTokenString()).get();<br>
<br>
.<br>
.<br>
.<br>
<br>
<br>
<br>
On Wed, Mar 5, 2014 at 3:09 AM, Stian Thorgersen <<a href="mailto:stian@redhat.com">stian@redhat.com</a>> wrote:<br>
<br>
> There's also a Keycloak specific mechanism for accessing the account of<br>
> the user associated with the token.<br>
><br>
> To do this open the scope mappings for your app/client, and select<br>
> 'account' in the application roles, select 'view-profile' and click the<br>
> right-arrow. This will allow your app/client to view the profile of the<br>
> current user.<br>
><br>
> Then you can make a request (with bearer token) to:<br>
><br>
> /auth/rest/realms/myrealm/account<br>
><br>
> In the future we'll add support to do all account specific things through<br>
> these REST endpoints to support all operations provided by the account<br>
> management application.<br>
><br>
> ----- Original Message -----<br>
> > From: "Dean Peterson" <<a href="mailto:peterson.dean@gmail.com">peterson.dean@gmail.com</a>><br>
> > To: <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> > Sent: Tuesday, 4 March, 2014 7:15:31 PM<br>
> > Subject: [keycloak-user] How to access realms/{realm}/users/{user} with<br>
> Application<br>
> ><br>
> > Hello,<br>
> ><br>
> > I am trying to find the best way to access the UsersResource.java Rest<br>
> > services outside the keycloak admin application to get a user's<br>
> information.<br>
> > How do I make a request using just the client's credentials?<br>
> ><br>
> > I currently use something like this but I get a 401 because I am using a<br>
> > user's oauth token and they only have user privileges:<br>
> > SkeletonKeySession session = (SkeletonKeySession) request<br>
> > .getAttribute(SkeletonKeySession.class.getName());<br>
> > ResteasyClient client = new ResteasyClientBuilder()<br>
> > .trustStore(session.getMetadata().getTruststore())<br>
> > .hostnameVerification(<br>
> > ResteasyClientBuilder.HostnameVerificationPolicy.ANY)<br>
> > .build();<br>
> ><br>
> > String username = request.getRemoteUser();<br>
> ><br>
> > Profile profile = null;<br>
> ><br>
> > try {<br>
> ><br>
> > Response response = client<br>
> > .target(" <a href="http://server:8080/auth/rest/admin/realms/myrealm/users/" target="_blank">http://server:8080/auth/rest/admin/realms/myrealm/users/</a> ")<br>
> > .path(username)<br>
> > .request()<br>
> > .header(HttpHeaders.AUTHORIZATION,<br>
> > "Bearer " + session.getTokenString()).get();<br>
> ><br>
> > // Get the existing entry if there is one. Otherwise, just return<br>
> > // the regular<br>
> > // entity retrieved from the remote system.<br>
> > try {<br>
> > profile = profileRepository<br>
> > .findByRegistrationId(member.getId());<br>
> ><br>
> > } catch (NoResultException e) {<br>
> > // ignore<br>
> > }<br>
> ><br>
> > } finally {<br>
> > client.close();<br>
> > }<br>
> ><br>
> > Is there a way for the application to make a request directly as an admin<br>
> > without giving the user admin privileges?<br>
> ><br>
> > _______________________________________________<br>
> > keycloak-user mailing list<br>
> > <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> > <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
><br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <a href="http://lists.jboss.org/pipermail/keycloak-user/attachments/20140305/c27824e7/attachment.html" target="_blank">http://lists.jboss.org/pipermail/keycloak-user/attachments/20140305/c27824e7/attachment.html</a><br>
<br>
------------------------------<br>
<br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
<br>
End of keycloak-user Digest, Vol 3, Issue 2<br>
*******************************************<br>
</blockquote></div><br></div>