Hello Sebastien
Your PUT to the client registration endpoint made clear to me why I was not
able to set service accounts to enabled in the oidc endpoint request at
https://host/auth/realms/myrealm/clients-registrations/openid-connect
<
https://host/auth/realms/myrealm/clients-registrations/openid-connect>
<
https://host/auth/realms/myrealm/clients-registrations/openid-connect>As I
see it, it has to do with provider type
oidc vs.
default
with different objects behind it
https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39
d10143b920/core/src/main/java/org/keycloak/representations/
oidc/OIDCClientRepresentation.java
<
https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39d...
keycloak/OIDCClientRepresentation.java at
1aeec2a83c6677cd7dcfccb6ba2c39d10143b920
· keycloak/keycloak · GitHub
<
https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39d...
github.com
keycloak - Open Source Identity and Access Management For Modern
Applications and Services
vs.
https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39
d10143b920/core/src/main/java/org/keycloak/representations/
idm/ClientRepresentation.java
<
https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39d...
keycloak/ClientRepresentation.java at 1aeec2a83c6677cd7dcfccb6ba2c39d10143b920
· keycloak/keycloak · GitHub
<
https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39d...
github.com
keycloak - Open Source Identity and Access Management For Modern
Applications and Services
After I POST to
https://host/auth/realms/myrealm/clients-registrations/
openid-connect a simple
{ "client_name": "aclient", "redirect_uris" :
["https://clienturl/callback"]
}'
and then use the registration access token returned to update / PUT the
client (under clients-registrations/default/...
I get a 500 server error, but the service account is enabled correctly for
that client.
Here is my verbose CURL output
curl -v -X PUT \
-d '{ "clientId":
"dynamic_client_id_returned_from_oidc",
"serviceAccountsEnabled": true }' \
-H "Content-Type:application/json" \
-H "Authorization: bearer registration_access_token_from_oidc" \
https://host/auth/realms/myrealm/clients-registrations/
default/dynamic_client_id_returned_from_oidc
* Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate: xxx
* Server certificate: xxx
PUT
/auth/realms/myrealm/clients-registrations/default/dynamic_client_id_returned_from_oidc
HTTP/1.1
Host: localhost
User-Agent: curl/7.43.0
Accept: */*
Content-Type:application/json
Authorization: bearer registration_access_token_from_oidc
Content-Length: 86
* upload completely sent off: 86 out of 86 bytes
< HTTP/1.1 500 Internal Server Error
< Connection: keep-alive
< X-Powered-By: Undertow/1
< Server: WildFly/10
< Content-Type: text/html
< Content-Length: 155
< Date: Wed, 11 Jan 2017 11:24:02 GMT
<
* Connection #0 to host localhost left intact
Could not find MessageBodyWriter for response object of type:
org.keycloak.representations.idm.ClientRepresentation of media type:
application/octet-stream
Am 11.01.2017 9:12 vorm. schrieb "Sebastien Blanc" <sblanc(a)redhat.com>:
Yes I was talking about the registration_endpoint , I just did the
test
with something like :
curl -X PUT \
-d '{ "clientId": "testclient",
"serviceAccountsEnabled": true }' \
-H "Content-Type:application/json" \
-H "Authorization: bearer my_registration_access_token" \
http://localhost:8080/auth/realms/myrealm/clients-registrations/default/
testclient
My Service Accounts for this client is then enabled but Keycloak fails to
returns a response for this PUT request. So I'm not able to get the new
registration access token.
Could you try this request and if it fails for you as well I will open a
ticket ?
Seb
On Wed, Jan 11, 2017 at 8:16 AM, Sven Thoms <sven.thoms(a)gmail.com> wrote:
> Hello Sebastien
>
> Are you talking about the Admin REST endpoint or the
> registration_endpoint defined at
> /auth/reales/[realmname]/.well-known/openid-configuration?
>
> I am trying to submit a registration request via registration_endpoint
> and submit a field enabling the service account.
>
> According to the openid connect dynamic client registration documentation
> at
openid.net, the request payload is non-normative, I am just not able
> to enable service account that way.
>
> Am 10.01.2017 10:32 vorm. schrieb "Sebastien Blanc"
<sblanc(a)redhat.com>:
>
>> I haven't tried it but when registering the client, in the payload, the
>> ClientRepresentation, there is a serviceAccountsEnabled field , so maybe
>> "service-accounts-enabled : true will do the trick ?
>>
>> On Tue, Jan 10, 2017 at 10:17 AM, Sven Thoms <sven.thoms(a)gmail.com>
>> wrote:
>>
>>> Is it possible via a setting to automatically enable clients registered
>>> dynamically via the well-known registration endpoint and registration
>>> access token? My current approach is to iterate over all clients post -
>>> creation and set serviceaccountsEnabled to true. I need a more prompt
>>> and
>>> real-time way
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>