<div dir="ltr"><div><div>I added:<br>   &quot;realm-management&quot;: [ &quot;realm-admin&quot; ],<br></div>to:<br>   &quot;clientRoles&quot;: {<br><br></div>Now I am getting:<br>    07:25:37,948 WARN  [org.jboss.resteasy.core.ExceptionHandler] (default task-92) Failed executing GET /admin/realms/tenant1/roles: org.jboss.resteasy.spi.UnauthorizedException: Bearer<br>        at org.keycloak.services.resources.admin.AdminRoot.authenticateRealmAdminRequest(AdminRoot.java:152)<br>        at org.keycloak.services.resources.admin.AdminRoot.getRealmsAdmin(AdminRoot.java:183)<br>        at sun.reflect.GeneratedMethodAccessor339.invoke(Unknown Source)<br>        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)<br>        at java.lang.reflect.Method.invoke(Method.java:606)<br><br><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jul 8, 2015 at 6:20 AM, Marek Posolda <span dir="ltr">&lt;<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF" text="#000000">
    <div>It looks like authorization issue. Your
      user either doesn&#39;t have required roles or your client is missing
      scopes (which means that roles are not propagated to accessToken).
      <br>
      <br>
      To just view roles, you need role &quot;view-realm&quot; of client
      &quot;realm-management&quot; .<span class="HOEnZb"><font color="#888888"><br>
      <br>
      Marek</font></span><div><div class="h5"><br>
      <br>
      On 7.7.2015 18:46, Stephen More wrote:<br>
    </div></div></div><div><div class="h5">
    <blockquote type="cite">
      <div dir="ltr">
        <div>
          <div>I have tried to add:<br>
                    org.keycloak.representations.IDToken idToken =
            principal.getKeycloakSecurityContext().getIdToken();<br>
                    org.keycloak.representations.AccessToken token =
            principal.getKeycloakSecurityContext().getToken();<br>
            <br>
                    writer.write(&quot;&lt;br/&gt;Access Token id: &quot; +
            token.getId());<br>
                    writer.write(&quot;&lt;br/&gt;Access Token String: &quot; +
            principal.getKeycloakSecurityContext().getTokenString());<br>
                    writer.write(&quot;&lt;br/&gt;ID Token id: &quot; +
            idToken.getId());<br>
                    writer.write(&quot;&lt;br/&gt;ID Token String: &quot; +
            principal.getKeycloakSecurityContext().getIdTokenString());<br>
            <br>
                    writer.write(String.format(&quot;&lt;br/&gt;&lt;a
            href=\&quot;/multitenant/%s/logout\&quot;&gt;Logout&lt;/a&gt;&quot;,
            realm));<br>
            <br>
                    try<br>
                    {<br>
                            java.net.URL url = new java.net.URL( &quot;<a href="http://localhost:8080/auth/admin/realms/" target="_blank">http://localhost:8080/auth/admin/realms/</a>&quot;
            + principal.getKeycloakSecurityContext().getRealm() +
            &quot;/roles&quot; );<br>
                            java.net.HttpURLConnection conn =
            (java.net.HttpURLConnection)url.openConnection();<br>
                            conn.setRequestMethod( &quot;GET&quot; );<br>
                            conn.setRequestProperty(&quot;Authorization&quot;,
            &quot;Bearer &quot; +
            principal.getKeycloakSecurityContext().getTokenString());<br>
                            java.io.BufferedReader in = new
            java.io.BufferedReader( new java.io.InputStreamReader(
            conn.getInputStream()));<br>
                            String line;<br>
                            while ((line = in.readLine()) != null)<br>
                            {<br>
                                writer.write( line );<br>
                            }<br>
                            in.close();<br>
                    }<br>
                    catch( Exception e )<br>
                    {<br>
                            e.printStackTrace();<br>
                    }<br>
            <br>
          </div>
          to
keycloak-demo-1.3.1.Final/examples/multi-tenant/src/main/java/org/keycloak/example/multitenant/boundary/ProtectedServlet.java<br>
          <br>
        </div>
        But I am getting an error:<br>
        12:28:28,317 WARN  [org.jboss.resteasy.core.ExceptionHandler]
        (default task-16) Failed executing GET
        /admin/realms/tenant1/roles:
        org.keycloak.services.ForbiddenException<br>
        <div><br>
          <br>
          In stepping through the AdminClient of the admin-access-app I
          have found an example bearer token was 1157 characters long.<br>
          <br>
          principal.getKeycloakSecurityContext().getIdTokenString()
          turned out to be 645 characters long.<br>
          <br>
          principal.getKeycloakSecurityContext().getTokenString() turned
          out to be 865 characters long.<br>
          <br>
          <br>
        </div>
        <div>What is it that I am missing ?<br>
        </div>
      </div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On Tue, Jul 7, 2015 at 10:08 AM, Bill
          Burke <span dir="ltr">&lt;<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>&gt;</span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">The access
            token should already be available.<br>
            <span><br>
              On 7/7/2015 10:01 AM, Stephen More wrote:<br>
              &gt; Or perhaps a better question would be: Once a user is
              already logged<br>
              &gt; into keycloak, how can a<br>
              &gt; org.keycloak.representations.AccessTokenResponse
              without providing a<br>
              &gt; password a second time ?<br>
              &gt;<br>
              &gt; On Sun, Jul 5, 2015 at 12:00 PM, Stephen More &lt;<a href="mailto:stephen.more@gmail.com" target="_blank">stephen.more@gmail.com</a><br>
            </span><span>&gt; &lt;mailto:<a href="mailto:stephen.more@gmail.com" target="_blank">stephen.more@gmail.com</a>&gt;&gt;
              wrote:<br>
              &gt;<br>
              &gt;     How could I extend the multi-tenant example (<br>
              &gt;     <a href="https://github.com/keycloak/keycloak/tree/master/examples/" rel="noreferrer" target="_blank">https://github.com/keycloak/keycloak/tree/master/examples/</a><br>
            </span>&gt;     &lt;<a href="https://github.com/keycloak/keycloak/tree/master/examples/multi-tenant" rel="noreferrer" target="_blank">https://github.com/keycloak/keycloak/tree/master/examples/multi-tenant</a>&gt;multi-tenant<br>
            <span>&gt;     ) to make a Rest admin api call back
              to keycloak using java ?<br>
              &gt;<br>
              &gt;     I think this would be a helpful example in
              upcoming releases.<br>
              &gt;<br>
              &gt;     Thanks<br>
              &gt;<br>
              &gt;<br>
              &gt;<br>
              &gt;<br>
            </span>&gt; _______________________________________________<br>
            &gt; keycloak-user mailing list<br>
            &gt; <a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
            &gt; <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
            &gt;<br>
            <span><font color="#888888"><br>
                --<br>
                Bill Burke<br>
                JBoss, a division of Red Hat<br>
                <a href="http://bill.burkecentral.com" rel="noreferrer" target="_blank">http://bill.burkecentral.com</a><br>
                _______________________________________________<br>
                keycloak-user mailing list<br>
                <a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
                <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
              </font></span></blockquote>
        </div>
        <br>
      </div>
      <br>
      <fieldset></fieldset>
      <br>
      <pre>_______________________________________________
keycloak-user mailing list
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
    </blockquote>
    <br>
  </div></div></div>

</blockquote></div><br></div>