It looks like authorization issue. Your user either doesn't have required roles or your client is missing scopes (which means that roles are not propagated to accessToken).

To just view roles, you need role "view-realm" of client "realm-management" .

Marek

On 7.7.2015 18:46, Stephen More wrote:
I have tried to add:
        org.keycloak.representations.IDToken idToken = principal.getKeycloakSecurityContext().getIdToken();
        org.keycloak.representations.AccessToken token = principal.getKeycloakSecurityContext().getToken();

        writer.write("<br/>Access Token id: " + token.getId());
        writer.write("<br/>Access Token String: " + principal.getKeycloakSecurityContext().getTokenString());
        writer.write("<br/>ID Token id: " + idToken.getId());
        writer.write("<br/>ID Token String: " + principal.getKeycloakSecurityContext().getIdTokenString());

        writer.write(String.format("<br/><a href=\"/multitenant/%s/logout\">Logout</a>", realm));

        try
        {
                java.net.URL url = new java.net.URL( "http://localhost:8080/auth/admin/realms/" + principal.getKeycloakSecurityContext().getRealm() + "/roles" );
                java.net.HttpURLConnection conn = (java.net.HttpURLConnection)url.openConnection();
                conn.setRequestMethod( "GET" );
                conn.setRequestProperty("Authorization", "Bearer " + principal.getKeycloakSecurityContext().getTokenString());
                java.io.BufferedReader in = new java.io.BufferedReader( new java.io.InputStreamReader( conn.getInputStream()));
                String line;
                while ((line = in.readLine()) != null)
                {
                    writer.write( line );
                }
                in.close();
        }
        catch( Exception e )
        {
                e.printStackTrace();
        }

to keycloak-demo-1.3.1.Final/examples/multi-tenant/src/main/java/org/keycloak/example/multitenant/boundary/ProtectedServlet.java

But I am getting an error:
12:28:28,317 WARN  [org.jboss.resteasy.core.ExceptionHandler] (default task-16) Failed executing GET /admin/realms/tenant1/roles: org.keycloak.services.ForbiddenException


In stepping through the AdminClient of the admin-access-app I have found an example bearer token was 1157 characters long.

principal.getKeycloakSecurityContext().getIdTokenString() turned out to be 645 characters long.

principal.getKeycloakSecurityContext().getTokenString() turned out to be 865 characters long.


What is it that I am missing ?

On Tue, Jul 7, 2015 at 10:08 AM, Bill Burke <bburke@redhat.com> wrote:
The access token should already be available.

On 7/7/2015 10:01 AM, Stephen More wrote:
> Or perhaps a better question would be: Once a user is already logged
> into keycloak, how can a
> org.keycloak.representations.AccessTokenResponse without providing a
> password a second time ?
>
> On Sun, Jul 5, 2015 at 12:00 PM, Stephen More <stephen.more@gmail.com
> <mailto:stephen.more@gmail.com>> wrote:
>
>     How could I extend the multi-tenant example (
>     https://github.com/keycloak/keycloak/tree/master/examples/
>     <https://github.com/keycloak/keycloak/tree/master/examples/multi-tenant>multi-tenant
>     ) to make a Rest admin api call back to keycloak using java ?
>
>     I think this would be a helpful example in upcoming releases.
>
>     Thanks
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user@lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user



_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user