<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">It looks like authorization issue. Your
user either doesn't have required roles or your client is missing
scopes (which means that roles are not propagated to accessToken).
<br>
<br>
To just view roles, you need role "view-realm" of client
"realm-management" .<br>
<br>
Marek<br>
<br>
On 7.7.2015 18:46, Stephen More wrote:<br>
</div>
<blockquote
cite="mid:CAL2vA_OYKyPjZ4fZumas1injw26tpWkTJo0EX1Qg4N2+RejmCw@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>I have tried to add:<br>
org.keycloak.representations.IDToken idToken =
principal.getKeycloakSecurityContext().getIdToken();<br>
org.keycloak.representations.AccessToken token =
principal.getKeycloakSecurityContext().getToken();<br>
<br>
writer.write("<br/>Access Token id: " +
token.getId());<br>
writer.write("<br/>Access Token String: " +
principal.getKeycloakSecurityContext().getTokenString());<br>
writer.write("<br/>ID Token id: " +
idToken.getId());<br>
writer.write("<br/>ID Token String: " +
principal.getKeycloakSecurityContext().getIdTokenString());<br>
<br>
writer.write(String.format("<br/><a
href=\"/multitenant/%s/logout\">Logout</a>",
realm));<br>
<br>
try<br>
{<br>
java.net.URL url = new java.net.URL( "<a
moz-do-not-send="true"
href="http://localhost:8080/auth/admin/realms/">http://localhost:8080/auth/admin/realms/</a>"
+ principal.getKeycloakSecurityContext().getRealm() +
"/roles" );<br>
java.net.HttpURLConnection conn =
(java.net.HttpURLConnection)url.openConnection();<br>
conn.setRequestMethod( "GET" );<br>
conn.setRequestProperty("Authorization",
"Bearer " +
principal.getKeycloakSecurityContext().getTokenString());<br>
java.io.BufferedReader in = new
java.io.BufferedReader( new java.io.InputStreamReader(
conn.getInputStream()));<br>
String line;<br>
while ((line = in.readLine()) != null)<br>
{<br>
writer.write( line );<br>
}<br>
in.close();<br>
}<br>
catch( Exception e )<br>
{<br>
e.printStackTrace();<br>
}<br>
<br>
</div>
to
keycloak-demo-1.3.1.Final/examples/multi-tenant/src/main/java/org/keycloak/example/multitenant/boundary/ProtectedServlet.java<br>
<br>
</div>
But I am getting an error:<br>
12:28:28,317 WARN [org.jboss.resteasy.core.ExceptionHandler]
(default task-16) Failed executing GET
/admin/realms/tenant1/roles:
org.keycloak.services.ForbiddenException<br>
<div><br>
<br>
In stepping through the AdminClient of the admin-access-app I
have found an example bearer token was 1157 characters long.<br>
<br>
principal.getKeycloakSecurityContext().getIdTokenString()
turned out to be 645 characters long.<br>
<br>
principal.getKeycloakSecurityContext().getTokenString() turned
out to be 865 characters long.<br>
<br>
<br>
</div>
<div>What is it that I am missing ?<br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Tue, Jul 7, 2015 at 10:08 AM, Bill
Burke <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">The access
token should already be available.<br>
<span class=""><br>
On 7/7/2015 10:01 AM, Stephen More wrote:<br>
> Or perhaps a better question would be: Once a user is
already logged<br>
> into keycloak, how can a<br>
> org.keycloak.representations.AccessTokenResponse
without providing a<br>
> password a second time ?<br>
><br>
> On Sun, Jul 5, 2015 at 12:00 PM, Stephen More <<a
moz-do-not-send="true"
href="mailto:stephen.more@gmail.com">stephen.more@gmail.com</a><br>
</span><span class="">> <mailto:<a
moz-do-not-send="true"
href="mailto:stephen.more@gmail.com">stephen.more@gmail.com</a>>>
wrote:<br>
><br>
> How could I extend the multi-tenant example (<br>
> <a moz-do-not-send="true"
href="https://github.com/keycloak/keycloak/tree/master/examples/"
rel="noreferrer" target="_blank">https://github.com/keycloak/keycloak/tree/master/examples/</a><br>
</span>> <<a moz-do-not-send="true"
href="https://github.com/keycloak/keycloak/tree/master/examples/multi-tenant"
rel="noreferrer" target="_blank">https://github.com/keycloak/keycloak/tree/master/examples/multi-tenant</a>>multi-tenant<br>
<span class="">> ) to make a Rest admin api call back
to keycloak using java ?<br>
><br>
> I think this would be a helpful example in
upcoming releases.<br>
><br>
> Thanks<br>
><br>
><br>
><br>
><br>
</span>> _______________________________________________<br>
> keycloak-user mailing list<br>
> <a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> <a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
><br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Bill Burke<br>
JBoss, a division of Red Hat<br>
<a moz-do-not-send="true"
href="http://bill.burkecentral.com" rel="noreferrer"
target="_blank">http://bill.burkecentral.com</a><br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</font></span></blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-user mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</body>
</html>