create user via java api
by John Norris
Hello,
I have a spring boot application, using keycloak 6.0.1 for authentication.
I can log on to keycloak admin via a local browser as the "admincloak" user (which is in the master realm) and create users in the "SpringBootKeycloak" realm.
But if I try to create a user within the Spring Boot code then I get the following error from keycloak log
10:57:33,927 WARN [org.keycloak.events] (default task-2) type=LOGIN_ERROR,
realmId=SpringBootKeycloak, clientId=bikes-app, userId=null, ipAddress=127.0.0.1,
error=invalid_user_credentials, auth_method=openid-connect, grant_type=password,
client_auth_method=client-secret, username=admincloak
Here is the relevant java code
private static final String SERVER_URL = "http://mint191:8080/auth";
private static final String REALM = "SpringBootKeycloak";
private static final String USERNAME = "admincloak";
private static final String PASSWORD = "123456";
private static final String CLIENT_ID = "bikes-app";
private static final String USER_ROLE = "user";
public static void createKCUser(Owner owner) {
try {
Keycloak keycloak = KeycloakBuilder
.builder()
.serverUrl(SERVER_URL)
.realm(REALM)
.username(USERNAME)
.password(PASSWORD)
.clientId(CLIENT_ID)
.resteasyClient(new ResteasyClientBuilder().connectionPoolSize(10).build())
.build();
CredentialRepresentation credentialRepresentation = new CredentialRepresentation();
credentialRepresentation.setType(CredentialRepresentation.PASSWORD);
credentialRepresentation.setValue("12345678");
UserRepresentation userRepresentation = new UserRepresentation();
userRepresentation.setUsername(owner.getUserName());
userRepresentation.setFirstName(owner.getFirstName());
userRepresentation.setLastName(owner.getSurName());
userRepresentation.setEnabled(true);
userRepresentation.setCredentials(Arrays.asList(credentialRepresentation));
keycloak.realm(REALM).users().create(userRepresentation);
The stacktrace has
javax.ws.rs.ProcessingException: javax.ws.rs.NotAuthorizedException: HTTP 401 Unauthorized
for the "keycloak.realm(REALM).users().create(userRepresentation);" line
I have seen in previous posts that
"Make sure that your user has the permissions "manage-users" and "view-realm" from the role "realm-management". Make sure your scopes are defined such that these roles actually are part of your token."
When I go into keycloak admin and look at the admincloak user in the master realm, then the effective roles in the role mappings tab are
admin
create-realm
offline-access
uma_authorization
But I can't see a "realm-management" role in roles in master. I can see the roles "manage-users" and "view-realm" in the client "master-realm" under the roles tab.
So, in summary, I am confused.
Regards,
John
5 years
Re: [keycloak-user] create-client realm permission
by David Sautter
Hi Pedro,
thanks for your answer.
I created this issue: https://issues.jboss.org/browse/KEYCLOAK-12384
Best Regards,
David
From: Pedro Igor Silva <psilva(a)redhat.com>
Sent: Tuesday, December 3, 2019 6:53 PM
To: Sautter David 1DS5 <David.Sautter(a)rohde-schwarz.com>
Cc: keycloak-user(a)lists.jboss.org
Subject: *EXT* Re: [keycloak-user] create-client realm permission
Hi David,
We should probably have a JIRA for this one. You basically described the issue which is the dependency on the manage-clients in particular. Ideally, we should align the admin console to not only rely on roles as it stands today but also on the permissions if you have enabled it.
Regards.
Pedro Igor
On Tue, Dec 3, 2019 at 1:41 PM David Sautter <David.Sautter(a)rohde-schwarz.com<mailto:David.Sautter@rohde-schwarz.com>> wrote:
Hello,
I want to give a group the permission to create clients for themselves, but not see and manage a set of other clients, for which they do not have permissions. They need to be in the same realm.
I noticed that the “Create Client” button only appears, when the user has both the realm roles “manage-clients” & “create-clients”. I would want to give him only “query-clients” and “create-clients”, so that he would see/edit just a subset of clients plus be able to create a new one for himself.
How do I do that?
Mit freundlichen Grüßen/ Best Regards,
David Sautter
Rohde & Schwarz GmbH & Co. KG
Postbox 80 14 69, D-81614 Muenchen
Dept. 1DS5
Fon: +49 89 4129 15256
Email: David.Sautter(a)rohde-schwarz.com<mailto:David.Sautter@rohde-schwarz.com><mailto:David.Sautter@rohde-schwarz.com<mailto:David.Sautter@rohde-schwarz.com>>
Der Inhalt dieses E-Mails ist ausschliesslich für den/die beabsichtigten Adressaten bestimmt. Es kann Informationen enthalten, die vertraulich und/oder rechtlich geschützt sind. Jegliche Ansicht, Weiterleitung, Verbreitung oder Nutzung durch andere Personen oder Stellen als durch den beabsichtigten Adressaten ist verboten.
Falls Sie diese E-Mail irrtümlicherweise erhalten haben, informieren Sie bitte den Absender und löschen Sie das Datenmaterial von Ihrem Computer.
If you are not the intended recipient of this message, you are hereby notified that any dissemination, use or distribution of this message is unauthorized and prohibited. Please immediately notify the sender that you have received this mes-sage and destroy the original.
Although this message has been checked for viruses, it is not guaranteed to be virus-free. You are strongly advised to perform another virus check of any attachment before opening it.
Geschäftsführung / Executive Board: Christian Leicher (Vorsitzender / Chairman), Peter Riedel, Sitz der Gesellschaft / Company's Place of Business: München, Registereintrag / Commercial Register No.: HRA 16 270, Persönlich haftender Gesellschafter / Personally Liable Partner: RUSEG Verwaltungs-GmbH, Sitz der Gesellschaft / Company's Place of Business: München, Registereintrag / Commercial Register No.: HRB 7 534, Umsatzsteuer-Identifikationsnummer (USt-IdNr.) / VAT Identification No.: DE 130 256 683, Elektro-Altgeräte Register (EAR) / WEEE Register No.: DE 240 437 86
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
5 years
Cannot build 8.0.0: Could not find artifact org.glassfish.jaxb:txw2:jar:2.4.0-b180608.0325
by Мартынов Илья
I've checked out 8.0.0 tag and try to build it.
[ERROR] Failed to execute goal on project keycloak-saml-core-public: Could
not resolve dependencies for project
org.keycloak:keycloak-saml-core-public:jar:8.0.0: Could not find artifact
org.glassfish.jaxb:txw2:jar:2.4.0-b180608.0325 in parallels (
http://ci.int.zone/nexus/content/groups/parallels/) -> [Help 1]
Our repository is just a proxy for maven central repo, and there is no such
version in it:
https://mvnrepository.com/artifact/org.glassfish.jaxb/txw2
What have I missed?
My build environment:
[builder@imartynov-dev keycloak]$ java -version
openjdk version "1.8.0_191"
OpenJDK Runtime Environment (build 1.8.0_191-b12)
OpenJDK 64-Bit Server VM (build 25.191-b12, mixed mode)
[builder@imartynov-dev keycloak]$ javac -version
javac 1.8.0_191
[builder@imartynov-dev keycloak]$ mvn -version
Apache Maven 3.6.1 (d66c9c0b3152b2e69ee9bac180bb8fcc8e6af555;
2019-04-04T22:00:29+03:00)
Maven home: /usr/local/apache-maven/apache-maven-3.6.1
Java version: 1.8.0_191, vendor: Oracle Corporation, runtime:
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.191.b12-0.el7_5.x86_64/jre
Default locale: en_US, platform encoding: UTF-8
OS name: "linux", version: "3.10.0-693.11.6.el7.x86_64", arch: "amd64",
family: "unix"
5 years
create-client realm permission
by David Sautter
Hello,
I want to give a group the permission to create clients for themselves, but not see and manage a set of other clients, for which they do not have permissions. They need to be in the same realm.
I noticed that the “Create Client” button only appears, when the user has both the realm roles “manage-clients” & “create-clients”. I would want to give him only “query-clients” and “create-clients”, so that he would see/edit just a subset of clients plus be able to create a new one for himself.
How do I do that?
Mit freundlichen Grüßen/ Best Regards,
David Sautter
Rohde & Schwarz GmbH & Co. KG
Postbox 80 14 69, D-81614 Muenchen
Dept. 1DS5
Fon: +49 89 4129 15256
Email: David.Sautter(a)rohde-schwarz.com<mailto:David.Sautter@rohde-schwarz.com>
Der Inhalt dieses E-Mails ist ausschliesslich für den/die beabsichtigten Adressaten bestimmt. Es kann Informationen enthalten, die vertraulich und/oder rechtlich geschützt sind. Jegliche Ansicht, Weiterleitung, Verbreitung oder Nutzung durch andere Personen oder Stellen als durch den beabsichtigten Adressaten ist verboten.
Falls Sie diese E-Mail irrtümlicherweise erhalten haben, informieren Sie bitte den Absender und löschen Sie das Datenmaterial von Ihrem Computer.
If you are not the intended recipient of this message, you are hereby notified that any dissemination, use or distribution of this message is unauthorized and prohibited. Please immediately notify the sender that you have received this mes-sage and destroy the original.
Although this message has been checked for viruses, it is not guaranteed to be virus-free. You are strongly advised to perform another virus check of any attachment before opening it.
Geschäftsführung / Executive Board: Christian Leicher (Vorsitzender / Chairman), Peter Riedel, Sitz der Gesellschaft / Company's Place of Business: München, Registereintrag / Commercial Register No.: HRA 16 270, Persönlich haftender Gesellschafter / Personally Liable Partner: RUSEG Verwaltungs-GmbH, Sitz der Gesellschaft / Company's Place of Business: München, Registereintrag / Commercial Register No.: HRB 7 534, Umsatzsteuer-Identifikationsnummer (USt-IdNr.) / VAT Identification No.: DE 130 256 683, Elektro-Altgeräte Register (EAR) / WEEE Register No.: DE 240 437 86
5 years
Keycloak Gatekeeper and Traefik ingress: stripping path prefix
by Laurens Martin
Hi,
I'm looking for help concerning Keycloak Gatekeeper and subpahts.
I've set up Keycloak in a Kubernetes cluster and aim to provide
authN/authZ through Keycloak Gatekeeper (v7). Everything on the cluster
is hosted under the same domain name, with a Traefik ingress controller
(v1.7) taking care of routing of the paths. There is no option to use
different subdomains.
So far I've managed to get the Gatekeeper working on a subpath, but the
problem is that I'm unable to strip path prefixes.
An example of my current Gatekeeper setup:
1. user goes to `example.site.com/foo/bar`
2. Traefik has an ingress defined for `/foo` and redirects the
user to the corresponding gatekeeper
3. Gatekeeper proxy receives the call and verifies user
authentication (redirects to keycloak if necessary)
4. actual service receives request of user on `/foo/bar`
The problem occurs at the last step. I am running applications which I
do not control that are unaware that they are running on `/foo` and
cannot be told that they are. All they should see is `/bar`.
Under normal conditions, I use the `traefik.frontend.rule.type:
PathPrefixStrip` annotation on the ingress to fix this sort of problem,
but I am unable to make this work with Keycloak Gatekeeper. I've tried
various combinations of `base-uri`, `auth-uri` and `redirection-url`,
without success. Is there any way to make Gatekeeper strip the path
prefix before sending it to the service? Or to make the Gatekeeper work
with the PathPrefixStrip annotation from Traefik?
The working settings as described in the example:
Keycloak Gatekeeper settings:
client-id: <id>
client-secret: <secret>
listen: :3000
redirection-url: https://example.site.com/
upstream-url: http://my-app.my-namespace.svc.cluster.local
base-uri: /foo
Traefik ingress:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: traefik
name: my-app-ingress
spec:
rules:
- http:
paths:
- backend:
serviceName: my-app-gatekeeper
servicePort: auth
path: /foo
Kind regards,
Laurens
5 years
Not able to create administrative User in Domain Clustered Mode
by Frank, Hans, 22F
Hi all,
I am trying to configure Keycloak in Domain Clustered Mode. I already was
able to create a little bit more advanced configuration (with external
database and loadbalancer and so on) in standalone clustered mode and I am
trying to transfer this configuration to domain clustered mode. But I am not
able to create the initial admin account in domain clustered mode, so I
tried to narrow the problem down with leaving everything on default and just
try to create that account.
So the basic setup is:
- Download and unzip keycloak-8.0.1.zip
- Start master (including loadbalancer): ./bin/domain.sh
--host-config=host-master.xml
(basically the "Clustered Domain Example" from the documentation without the
slave node instance.)
When accessing keycloak (locally) I get the message "You need local access
to create the initial admin user. Open http://localhost:8080/auth or use the
add-user-keycloak script."
When I open http://localhost:8080/auth I get the exact same message. When I
open http://localhost:8080/auth/admin, I get a login form.
So I tried to use the script add-user-keycloak.sh:
./bin/add-user-keycloak.sh -r master -u admin -p Test --domain --dc
$KH/keycloak-8.0.1/domain/configuration/
Added 'admin' to
'/opt/kc0/keycloak-8.0.1/domain/configuration/keycloak-add-user.json',
restart server to load user
... and then restarted the server. But I still get the message "You need
local access ...." and when trying to login directly via .../auth/admin I
get "Invalid username or password.". Log output:
[Server:server-one] 08:52:10,560 WARN [org.keycloak.events] (default
task-2) type=LOGIN_ERROR, realmId=master, clientId=security-admin-console,
userId=null, ipAddress=127.0.0.1, error=user_not_found,
auth_method=openid-connect, auth_type=code,
redirect_uri=http://localhost:8080/auth/admin/master/console/,
code_id=b4fb71f2-6e61-40c9-8953-506e589a1a0a, username=admin,
authSessionParentId=b4fb71f2-6e61-40c9-8953-506e589a1a0a,
authSessionTabId=RZzwAXq3BEw
The content of ../domain/configuration/keycloak-add-user.json looks OK for
me:
[ {
"realm" : "master",
"users" : [ {
"username" : "admin",
"enabled" : true,
"credentials" : [ {
"type" : "password",
"secretData" :
"{\"value\":\"s0uo+lD2jgE+i68wWym1El6mlsMKJY3fkxlOMpRul9FBUv5vmQA/YbCC541NkP
2EXOp6UjQYtSErkI9OQnM65Q==\",\"salt\":\"WYn5KUEDP+LbxGQQDZfnSg==\"}",
"credentialData" :
"{\"hashIterations\":100000,\"algorithm\":\"pbkdf2-sha256\"}"
} ],
"realmRoles" : [ "admin" ]
} ]
What step did I miss in order to create the administrative account needed
for the initial login?
Thanks!
Hans
5 years
Keycloak 8.0.1 Released
by Stian Thorgersen
Highlights:
LDAP Issue
This release fixes a critical vulnerability in LDAP introduced in Keycloak
7. If you are using Keycloak 7.0.0, 7.0.1 or 8.0.0 in production we
strongly suggest that you upgrade immediately.
WildFly 18.0.1.Final
Upgrade to WildFly 18.0.1.Final which includes updates to a number of CVEs
in third-party libraries.
https://www.keycloak.org/2019/12/keycloak-801-released.html
5 years
CODE_TO_TOKEN_ERROR and clustered mode
by Daniel Fernández Rodríguez
Hi guys,
we have keycloak v7 configured to use clustered mode.
For that I configured the service to start using standalone-ha.xml
(we have puppet so all keycloaks should have identical config) and added
'proxy-address-forwarding="true" (I have one nginx as a reverse proxy
taking care of the https)
|<http-listener name="default"
proxy-address-forwarding="true"socket-binding="http"
redirect-socket="https" enable-http2="true"/>|
|
|
In front of the keycloaks I have a couple of HAProxies configured to use
tcp mode.
Front time to time, some users complain that they cannot login.
When I check the logs I see something like:
{"loggerTimestamp":"2019-11-11T15:41:43.647+01:00","sequence":6354,"loggerClassName":"org.jboss.logging.Logger","loggerName":"org.keycloak.events","level":"WARN","message":"type=CODE_TO_TOKEN_ERROR,
realmId=myrealm, clientId=myclient, userId=null,
ipAddress=111.222.30.198, error=invalid_code,
grant_type=authorization_code,
code_id=e24eaa47-adfd-48bc-a3bb-4f1fbe4ba59b,
client_auth_method=client-secret","threadName":"default
task-45","threadId":327,"mdc":{},"ndc":"","hostName":"keycloak-59cd3c0b11.mycompany.com","processName":"jboss-modules.jar","processId":12591
}
Do you know what might be happening?
There is not a lot of documentation on how to properly configure
clustered mode.
Thanks a lot.
Daniel.
5 years
