<div dir="ltr"><div><div>I added:<br> "realm-management": [ "realm-admin" ],<br></div>to:<br> "clientRoles": {<br><br></div>Now I am getting:<br> 07:25:37,948 WARN [org.jboss.resteasy.core.ExceptionHandler] (default task-92) Failed executing GET /admin/realms/tenant1/roles: org.jboss.resteasy.spi.UnauthorizedException: Bearer<br> at org.keycloak.services.resources.admin.AdminRoot.authenticateRealmAdminRequest(AdminRoot.java:152)<br> at org.keycloak.services.resources.admin.AdminRoot.getRealmsAdmin(AdminRoot.java:183)<br> at sun.reflect.GeneratedMethodAccessor339.invoke(Unknown Source)<br> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)<br> at java.lang.reflect.Method.invoke(Method.java:606)<br><br><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jul 8, 2015 at 6:20 AM, Marek Posolda <span dir="ltr"><<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>It looks like authorization issue. Your
user either doesn't have required roles or your client is missing
scopes (which means that roles are not propagated to accessToken).
<br>
<br>
To just view roles, you need role "view-realm" of client
"realm-management" .<span class="HOEnZb"><font color="#888888"><br>
<br>
Marek</font></span><div><div class="h5"><br>
<br>
On 7.7.2015 18:46, Stephen More wrote:<br>
</div></div></div><div><div class="h5">
<blockquote type="cite">
<div dir="ltr">
<div>
<div>I have tried to add:<br>
org.keycloak.representations.IDToken idToken =
principal.getKeycloakSecurityContext().getIdToken();<br>
org.keycloak.representations.AccessToken token =
principal.getKeycloakSecurityContext().getToken();<br>
<br>
writer.write("<br/>Access Token id: " +
token.getId());<br>
writer.write("<br/>Access Token String: " +
principal.getKeycloakSecurityContext().getTokenString());<br>
writer.write("<br/>ID Token id: " +
idToken.getId());<br>
writer.write("<br/>ID Token String: " +
principal.getKeycloakSecurityContext().getIdTokenString());<br>
<br>
writer.write(String.format("<br/><a
href=\"/multitenant/%s/logout\">Logout</a>",
realm));<br>
<br>
try<br>
{<br>
java.net.URL url = new java.net.URL( "<a href="http://localhost:8080/auth/admin/realms/" target="_blank">http://localhost:8080/auth/admin/realms/</a>"
+ principal.getKeycloakSecurityContext().getRealm() +
"/roles" );<br>
java.net.HttpURLConnection conn =
(java.net.HttpURLConnection)url.openConnection();<br>
conn.setRequestMethod( "GET" );<br>
conn.setRequestProperty("Authorization",
"Bearer " +
principal.getKeycloakSecurityContext().getTokenString());<br>
java.io.BufferedReader in = new
java.io.BufferedReader( new java.io.InputStreamReader(
conn.getInputStream()));<br>
String line;<br>
while ((line = in.readLine()) != null)<br>
{<br>
writer.write( line );<br>
}<br>
in.close();<br>
}<br>
catch( Exception e )<br>
{<br>
e.printStackTrace();<br>
}<br>
<br>
</div>
to
keycloak-demo-1.3.1.Final/examples/multi-tenant/src/main/java/org/keycloak/example/multitenant/boundary/ProtectedServlet.java<br>
<br>
</div>
But I am getting an error:<br>
12:28:28,317 WARN [org.jboss.resteasy.core.ExceptionHandler]
(default task-16) Failed executing GET
/admin/realms/tenant1/roles:
org.keycloak.services.ForbiddenException<br>
<div><br>
<br>
In stepping through the AdminClient of the admin-access-app I
have found an example bearer token was 1157 characters long.<br>
<br>
principal.getKeycloakSecurityContext().getIdTokenString()
turned out to be 645 characters long.<br>
<br>
principal.getKeycloakSecurityContext().getTokenString() turned
out to be 865 characters long.<br>
<br>
<br>
</div>
<div>What is it that I am missing ?<br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Tue, Jul 7, 2015 at 10:08 AM, Bill
Burke <span dir="ltr"><<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">The access
token should already be available.<br>
<span><br>
On 7/7/2015 10:01 AM, Stephen More wrote:<br>
> Or perhaps a better question would be: Once a user is
already logged<br>
> into keycloak, how can a<br>
> org.keycloak.representations.AccessTokenResponse
without providing a<br>
> password a second time ?<br>
><br>
> On Sun, Jul 5, 2015 at 12:00 PM, Stephen More <<a href="mailto:stephen.more@gmail.com" target="_blank">stephen.more@gmail.com</a><br>
</span><span>> <mailto:<a href="mailto:stephen.more@gmail.com" target="_blank">stephen.more@gmail.com</a>>>
wrote:<br>
><br>
> How could I extend the multi-tenant example (<br>
> <a href="https://github.com/keycloak/keycloak/tree/master/examples/" rel="noreferrer" target="_blank">https://github.com/keycloak/keycloak/tree/master/examples/</a><br>
</span>> <<a href="https://github.com/keycloak/keycloak/tree/master/examples/multi-tenant" rel="noreferrer" target="_blank">https://github.com/keycloak/keycloak/tree/master/examples/multi-tenant</a>>multi-tenant<br>
<span>> ) to make a Rest admin api call back
to keycloak using java ?<br>
><br>
> I think this would be a helpful example in
upcoming releases.<br>
><br>
> Thanks<br>
><br>
><br>
><br>
><br>
</span>> _______________________________________________<br>
> keycloak-user mailing list<br>
> <a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
><br>
<span><font color="#888888"><br>
--<br>
Bill Burke<br>
JBoss, a division of Red Hat<br>
<a href="http://bill.burkecentral.com" rel="noreferrer" target="_blank">http://bill.burkecentral.com</a><br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</font></span></blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
keycloak-user mailing list
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</div></div></div>
</blockquote></div><br></div>