Incomplete ClientRepresentation returned from /{realm}/clients REST endpoint
by John Dennis
A GET on the /{realm}/clients REST endpoint is supposed to return an
array of ClientRepresentation JSON objects. This is documented here:
https://www.keycloak.org/docs-api/4.8/rest-api/index.html#_clients_resource
According to the REST documentation
(https://www.keycloak.org/docs-api/4.8/rest-api/index.html#_clientrepresen...)
a ClientRepresentation is supposed to contain the following top level keys:
access
adminUrl
attributes
authenticationFlowBindingOverrides
authorizationServicesEnabled
authorizationSettings
baseUrl
bearerOnly
clientAuthenticatorType
clientId
consentRequired
defaultClientScopes
defaultRoles
description
directAccessGrantsEnabled
enabled
frontchannelLogout
fullScopeAllowed
id
implicitFlowEnabled
name
nodeReRegistrationTimeout
notBefore
optionalClientScopes
origin
protocol
protocolMappers
publicClient
redirectUris
registeredNodes
registrationAccessToken
rootUrl
secret
serviceAccountsEnabled
standardFlowEnabled
surrogateAuthRequired
webOrigins
However when authenticated as the admin in the master realm on Keycloak
version 4.8.2.Final a GET on /{realm}/clients returns
ClientRepresentation's containing only these keys:
access
attributes
authenticationFlowBindingOverrides
bearerOnly
clientAuthenticatorType
clientId
consentRequired
defaultClientScopes
directAccessGrantsEnabled
enabled
frontchannelLogout
fullScopeAllowed
id
implicitFlowEnabled
nodeReRegistrationTimeout
notBefore
optionalClientScopes
protocol
publicClient
redirectUris
serviceAccountsEnabled
standardFlowEnabled
surrogateAuthRequired
webOrigins
This means the following keys are omitted from the ClientRepresentation.
Why?
adminUrl
authorizationServicesEnabled
authorizationSettings
baseUrl
defaultRoles
description
name
origin
protocolMappers
registeredNodes
registrationAccessToken
rootUrl
secret
As far as I can tell the documented ClientRepresentation closely matches
what is in the code here:
https://github.com/keycloak/keycloak/blob/master/core/src/main/java/org/k...
I believe this is the method used to return the ClientRepresentation
from the REST endpoint:
https://github.com/keycloak/keycloak/blob/885eec5ef2628e41d59f4017745df44...
The conversion from model to representation occurs here:
https://github.com/keycloak/keycloak/blob/885eec5ef2628e41d59f4017745df44...
I don't see anything which is dropping the missing keys in the returned
ClientRepresentation.
Is something filtering the result?
The context for the question arises from this: We were creating a client
via a PUT and allowing Keycloak to generate the client secret, we then
wanted to extract the client secret from the ClientRepresentation but
it's absent. I can also undersand why the client secret might be omitted
for security reasons (although I did find that seems to replace that
value with "**********", but that's not happening either, it's just
absent). That's when we noticed it wasn't just the client secret that
was missign but 12 other keys as well.
--
John Dennis
5 years, 11 months
Key cloak gatekeeper - match claims with realm access
by Murugappan Sevugan Chetty
Hello,
Below is a part of my token
"realm_access": {
"roles": [
"role1",
"role2",
"role3"
]
}
I need help with match claims config for gatekeeper. i tried like below and
got an error
match-claims:
realm_access: role1
unable to parse claim as string: realm_access","error":"unable to parse
claim as string array: realm_access"}
Thanks
5 years, 11 months
Force certain realm users to login via IDP
by Tim Hedlund
We are looking into using IDP (Azure AD) for login. Some users (admins) will then authenticate there. The need for this is that Keycloak admins (user management in certain realm) will need to authenticate via two factor because of company policies. So I've already setup a working integration with AD. The problem now is that pre-existing users that already had a login and password in Keycloak must no longer be able to use login/password. This is to force IDP (two factor) login.
I've tried to "Disable Credentials" for "password" for such a user but still he could login.
I'm thinking of a solution where we script a custom browser flow action where we check is the user is a admin and then denies him if using password.
Any thoughts or suggestions?
Regards
Tim
5 years, 11 months
View all users button doesn't work with user federation
by Lorenzo Luconi Trombacchi
I just upgraded my Kecloak installation from 4.5 to 4.8.3. I’m using a custom user federation provider and after the upgrade the “View all users” button in Users tab returns only internal users and not the users from my identity provider.
I can lookup and authenticate any users, but the button returns an empty list.
I tested also older releases like 4.6 and 4.7 and the problem persist.
Is this the expected behavior of new releases?
In migration documentation I didn’t find anything about changes in SPI.
Thanks,
Lorenzo
5 years, 11 months
Client authentication with signed JWT failed: Token is not active
by Matuszak, Eduard
Hello
I have observed error-messages from Keycloak with this content:
{"error":"unauthorized_client","error_description":"Client authentication with signed JWT failed: Token is not active"}) response: {"error":"unauthorized_client","error_description":"Client authentication with signed JWT failed: Token is not active"}
Scanning for an explaination to find out how this can happen did not yield to a sufficient answer and Keycloak's code did not really clear up the problem.
Perhaps the problem can be mitigated by setting the token-expiration value in keycloak.json (which unfortunately seems not be explained in Keycloak's docu), which is set to it's default here, i.e. "token-expiration": 10?
If someone has any idea or experience on how this error could have come up, it would be nice to let me know?
Best regards, Eduard Matuszak
5 years, 11 months
Custom Authenticator
by Artem Grebenkin
Hi folks,
I have following use case. There is a service which creates ("registers") a
user in keycloak over REST API. After that I would like to login the user
automatically. So I need some kind of link which I can return to the
browser and which will login the user and redirect them back to some
location.
Where I have to look? Can somebody give me some advice and some keywords.
Thanks for your help
Artem
5 years, 11 months
Expose role attributes in Keycloak javascript adapter
by Tom Barber
Hi folks,
We’ve got some attributes in the Keycloak roles. Is there a way to release
them with a user using the Javascript adapter?
Thanks
Tom
--
Spicule Limited is registered in England & Wales. Company Number:
09954122. Registered office: First Floor, Telecom House, 125-135 Preston
Road, Brighton, England, BN1 6AF. VAT No. 251478891.
All engagements
are subject to Spicule Terms and Conditions of Business. This email and its
contents are intended solely for the individual to whom it is addressed and
may contain information that is confidential, privileged or otherwise
protected from disclosure, distributing or copying. Any views or opinions
presented in this email are solely those of the author and do not
necessarily represent those of Spicule Limited. The company accepts no
liability for any damage caused by any virus transmitted by this email. If
you have received this message in error, please notify us immediately by
reply email before deleting it from your system. Service of legal notice
cannot be effected on Spicule Limited by email.
5 years, 11 months
