11:49 a.m.
Thanks Geoffrey, if you agree, let me use the query-users role as my example only needs to
query users. I created new groups configurated with the old roles more query-users role.
Here the new configuration:
{
"realm": "school-domain",
"enabled": true,
"accessTokenLifespan": 60,
"accessCodeLifespan": 60,
"accessCodeLifespanUserAction": 300,
"ssoSessionIdleTimeout": 600,
"ssoSessionMaxLifespan": 36000,
"sslRequired": "external",
"registrationAllowed": true,
"resetPasswordAllowed": true,
"editUsernameAllowed": true,
"loginWithEmailAllowed": false,
"duplicateEmailsAllowed": true,
"privateKey": .......,
"publicKey": .......,
"requiredCredentials": [
"password"
],
"users": [
{
"username": "root",
"enabled": true,
"email": "lsflashboss62(a)gmail.com",
"credentials": [
{
"type": "password",
"value": "gtn"
}
],
"groups": [
"admin"
]
},
{
"username": "hfgfghhgffhgfgh",
"enabled": true,
"email": "luca.stancapiano(a)vige.it",
"firstName": "Luca",
"lastName": "Stancapiano",
"credentials": [
{
"type": "password",
"value": "gtn"
}
],
"groups": [
"pupil"
]
}
],
"groups": [
{
"name": "admin",
"path": "/admin",
"attributes": {
},
"realmRoles": [
"admin"
],
"clientRoles": {
"realm-management": [
"query-users"
],
"account": [
"manage-account"
]
},
"subGroups": []
},
{
"name": "pupil",
"path": "/pupil",
"attributes": {
},
"realmRoles": [
"pupil"
],
"clientRoles": {
"realm-management": [
"query-users"
],
"account": [
"manage-account"
]
},
"subGroups": []
}
]
}
Now, when I connect through postman to the url
http://localhost:8180/auth/admin/realms/school-domain/users using the 'root' user
imported through the configuration, I receive an empty list, when I espect the two users
('root' and 'hfgfghhgffhgfgh') imported through the configuration. Where I
wrong now?
Il 7 dicembre 2018 alle 10.55 Geoffrey Cleaves
<geoff(a)opticks.io> ha scritto:
Be sure that the token you are using to list the users has a manage-realm
role.
On Thu, 6 Dec 2018 at 16:09, Luca Stancapiano <luca.stancapiano(a)vige.it>
wrote:
> But changing the postman configuration from Oauth 2.0 to Bearer token I
> see the error is changed. Now I have a 403 Forbidden
>
> > Il 6 dicembre 2018 alle 15.08 Joao Paulo Ramos <jramos(a)redhat.com> ha
> scritto:
> >
> >
> > Hello Luca,
> >
> > In your webapp's Keycloak Client, try putting it as baerer only.
> > Also, in the the HTTP request that you make, be sure you are setting the
> > token in the header of the HTTP request, with the following parameter:
> >
> > {"Authorization" : "bearer " + $TOKEN}
> >
> > Thanks,
> >
> > JOÃO PAULO RAMOS
> >
> > Red Hat Brasil
> > <https://red.ht/sig>
> >
> >
> > On Thu, Dec 6, 2018 at 11:13 AM Luca Stancapiano <
> luca.stancapiano(a)vige.it>
> > wrote:
> >
> > > I'm trying to call via REST through POSTMAN the list of users through
> the
> > > get path: http://localhost:8180/auth/admin/realms/school-domain/users
> > >
> > > Here my keycloak configuration where I create 2 users, 4 roles, a
> 'school'
> > > client and a 'school-domain' realm:
> > >
> > > {
> > > "realm": "school-domain",
> > > "enabled": true,
> > > "accessTokenLifespan": 60,
> > > "accessCodeLifespan": 60,
> > > "accessCodeLifespanUserAction": 300,
> > > "ssoSessionIdleTimeout": 600,
> > > "ssoSessionMaxLifespan": 36000,
> > > "sslRequired": "external",
> > > "registrationAllowed": true,
> > > "resetPasswordAllowed": true,
> > > "editUsernameAllowed": true,
> > > "loginWithEmailAllowed": false,
> > > "duplicateEmailsAllowed": true,
> > > "privateKey":
> > >
>
"MIICXAIBAAKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQABAoGAfmO8gVhyBxdqlxmIuglbz8bcjQbhXJLR2EoS8ngTXmN1bo2L90M0mUKSdc7qF10LgETBzqL8jYlQIbt+e6TH8fcEpKCjUlyq0Mf/vVbfZSNaVycY13nTzo27iPyWQHK5NLuJzn1xvxxrUeXI6A2WFpGEBLbHjwpx5WQG9A+2scECQQDvdn9NE75HPTVPxBqsEd2z10TKkl9CZxu10Qby3iQQmWLEJ9LNmy3acvKrE3gMiYNWb6xHPKiIqOR1as7L24aTAkEAtyvQOlCvr5kAjVqrEKXalj0Tzewjweuxc0pskvArTI2Oo070h65GpoIKLc9jf+UA69cRtquwP93aZKtW06U8dQJAF2Y44ks/mK5+eyDqik3koCI08qaC8HYq2wVl7G2QkJ6sbAaILtcvD92ToOvyGyeE0flvmDZxMYlvaZnaQ0lcSQJBAKZU6umJi3/xeEbkJqMfeLclD27XGEFoPeNrmdx0q10Azp4NfJAY+Z8KRyQCR2BEG+oNitBOZ+YXF9KCpH3cdmECQHEigJhYg+ykOvr1aiZUMFT72HU0jnmQe2FVekuG+LJUt2Tm7GtMjTFoGpf0JwrVuZN39fOYAlo+nTixgeW7X8Y=",
> > > "publicKey":
> > >
>
"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB",
> > > "requiredCredentials": [
> > > "password"
> > > ],
> > > "users": [
> > > {
> > > "username": "root",
> > > "enabled": true,
> > > "email":
"lsflashboss62(a)gmail.com",
> > > "credentials": [
> > > {
> > > "type":
"password",
> > > "value":
"gtn"
> > > }
> > > ],
> > > "realmRoles": [
> > > "admin"
> > > ],
> > > "clientRoles": {
> > > "account": [
> > > "manage-account"
> > > ]
> > > }
> > > },
> > > {
> > > "username": "HUHUJJJKJJKN",
> > > "enabled": true,
> > > "email":
"luca.stancapiano(a)vige.it",
> > > "firstName": "Luca",
> > > "lastName": "Stancapiano",
> > > "credentials": [
> > > {
> > > "type":
"password",
> > > "value":
"gtn"
> > > }
> > > ],
> > > "realmRoles": [
> > > "pupil"
> > > ],
> > > "clientRoles": {
> > > "account": [
> > > "manage-account"
> > > ]
> > > }
> > > }
> > > ],
> > > "clients": [
> > > {
> > > "clientId": "school",
> > > "rootUrl":
"http://localhost:8080/school",
> > > "enabled": true,
> > > "redirectUris": [
> > >
"http://localhost:8080/school/*"
> > > ],
> > > "webOrigins": [
> > > "http://localhost:8080"
> > > ],
> > > "publicClient": false,
> > > "secret":
> "bce5816d-98c4-404f-a18d-bcc5cb005c79",
> > > "serviceAccountsEnabled": true,
> > > "authorizationServicesEnabled": true,
> > > "authorizationSettings": {
> > > "allowRemoteResourceManagement":
true,
> > > "policyEnforcementMode":
"ENFORCING",
> > > "resources": [
> > > {
> > > "name":
"Default
> Resource",
> > > "type":
> > > "urn:school:resources:default",
> > >
"ownerManagedAccess":
> > > false,
> > > "attributes": {
> > >
> > > },
> > > "_id":
> > > "c338b2be-da73-471c-9bb0-77ad52e1f88f",
> > > "uris": [
> > > "/*"
> > > ]
> > > }
> > > ],
> > > "policies": [
> > > {
> > > "id":
> > > "edb01393-180e-4d95-afd3-92b3ac5a6d41",
> > > "name":
"Default
> Policy",
> > > "description":
"A
> policy
> > > that grants access only for users within this realm",
> > > "type":
"js",
> > > "logic":
"POSITIVE",
> > >
"decisionStrategy":
> > > "AFFIRMATIVE",
> > > "config": {
> > > "code":
"// by
> > > default, grants any permission associated with this
> > > policy\n$evaluation.grant();\n"
> > > }
> > > },
> > > {
> > > "id":
> > > "1f5dce97-54e3-4dcf-92bd-a2a59120286f",
> > > "name":
"Default
> > > Permission",
> > > "description":
"A
> > > permission that applies to the default resource type",
> > > "type":
"resource",
> > > "logic":
"POSITIVE",
> > >
"decisionStrategy":
> > > "UNANIMOUS",
> > > "config": {
> > >
> > > "defaultResourceType":
"urn:school:resources:default",
> > >
> "applyPolicies":
> > > "[\"Default Policy\"]"
> > > }
> > > }
> > > ],
> > > "scopes": []
> > > }
> > > }
> > > ],
> > > "roles": {
> > > "realm": [
> > > {
> > > "name": "admin",
> > > "description":
"Administrator
> privileges"
> > > },
> > > {
> > > "name":
"schooloperator",
> > > "description": "School
Operator
> privileges"
> > > },
> > > {
> > > "name": "teacher",
> > > "description": "Teacher
privileges"
> > > },
> > > {
> > > "name": "pupil",
> > > "description": "Pupil
privileges"
> > > }
> > > ]
> > > }
> > > }
> > >
> > > Keycloak starts on the 8180 port. I configured POSTMAN with OAuth 2.0.
> > > Here the Oauth configuration used to receive the token:
> > >
> > > Token Name: Token Name
> > > Grant Type: Authorization Code
> > > Callback URL: http://localhost:8080/school
> > > Auth URL:
> > >
> http://localhost:8180/auth/realms/school-domain/protocol/openid-connect/auth
> > > Access Token URL:
> > >
> http://localhost:8180/auth/realms/school-domain/protocol/openid-connect/t...
> > > Client ID: school
> > > Client Secret: bce5816d-98c4-404f-a18d-bcc5cb005c79
> > > Client Authentication: Send as Basic Auth header
> > >
> > > The Callback URL is an active simple web app starting on the 8080 port.
> > > The token creation is ok but when I call the server with the created
> token
> > > I get a 401 Unauthorized error. What I miss?
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user(a)lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Regards,
Geoffrey Cleaves