That's what we're doing already at the moment, but it's not really ideal.
Having to make two requests to the admin API in order to register a user means the whole
process takes twice as long (roughly 300ms). It's not an absolutely critical issue,
but still not really nice, especially if we have to do a batch import from a legacy system
for example.
If it's intentionally this way and there's no plan to change it then the
documentation should be changed because it says you can provide a credential list (which
you technically can, but that's very misleading).
________________________________
From: Marko Strukelj <mstrukel(a)redhat.com>
Sent: Monday, May 15, 2017 4:50:12 PM
To: Scott Finlay
Cc: Alex Berg; keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Can't set password when registering a user
You need to invoke resetPassword on UserResource, after creating a new user :
https://github.com/keycloak/keycloak/blob/3.1.0.Final/testsuite/integrati...
On Mon, May 15, 2017 at 12:01 PM, Scott Finlay
<scott.finlay@sixt.com<mailto:scott.finlay@sixt.com>> wrote:
Diving into the code, I see this, which seems to be the endpoint for creating a user:
https://github.com/keycloak/keycloak/blob/2.5.x/services/src/main/java/or...
This then calls:
https://github.com/keycloak/keycloak/blob/2.5.x/services/src/main/java/or...
That seems to just set the basic user data like name, email, enabled, etc. Then it sets
the "required actions", and then the custom attributes. I see nothing regarding
credentials there.
Is this just hidden away somewhere else, or is it just really missing from here?
________________________________
From: Scott Finlay
Sent: Monday, May 15, 2017 11:14:26 AM
To: Alex Berg
Cc: keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
Subject: Re: [keycloak-user] Can't set password when registering a user
Hmm, that request body doesn't look very different from my example. I've tried now
removing the additional fields
I had and adding the few you have and I still get exactly the same outcome: when I try
impersonating the user in
the Keycloak admin panel he has no password set (but he does when I explicitly call the
reset-password endpoint).
Is there some setting/role/permission I'm missing maybe? I'm using version
2.5.5.Final.
________________________________
From: Alex Berg <chexxor@gmail.com<mailto:chexxor@gmail.com>>
Sent: Friday, May 12, 2017 6:09:59 PM
To: Scott Finlay
Cc: keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
Subject: Re: [keycloak-user] Can't set password when registering a user
I do something like that, and it works for me.
The content of my XHR is JSON of this:
{ credentials : [
{ type: "password"
, temporary: false
, value: regBody.password
}
]
, email: regBody.email
, username: regBody.email
, emailVerified: false
, enabled: true
, requiredActions: [ "VERIFY_EMAIL" ]
}
The created user's ID is available on the "location" response header.
On Fri, May 12, 2017 at 2:27 AM, Scott Finlay
<scott.finlay@sixt.com<mailto:scott.finlay@sixt.com><mailto:scott.finlay@sixt.com<mailto:scott.finlay@sixt.com>>>
wrote:
Hi,
According to the Keycloak admin API documentation:
http://www.keycloak.org/docs-api/2.5/rest-api/index.html#_create_a_new_user
->
http://www.keycloak.org/docs-api/2.5/rest-api/index.html#_userrepresentation
->
http://www.keycloak.org/docs-api/2.5/rest-api/index.html#_credentialrepre...
We should be able to provide credentials when creating a new user, but when I provide
credentials it doesn't seem to set the password for the new user. Here is what my
request looks like:
POST /auth/admin/realms/myrealm/users/
{"enabled":true,"username":"blah@blop.com<mailto:blah@blop.com><mailto:blah@blop.com<mailto:blah@blop.com>>","email":"blah@blop.com<mailto:blah@blop.com><mailto:blah@blop.com<mailto:blah@blop.com>>","firstName":"Blah","lastName":"Blop","attributes":{"userId":["1234"]},"credentials":[{"type":"password","temporary":false,"value":"secr$tP4ssword"}]}
Just as an experiment, I tried passing a single "credential" instead of an array
of credentials and I got this error back:
internal server error;KeyCloak HTTP Error Response [400]:
com.fasterxml.jackson.databind.JsonMappingException: Can not deserialize instance of
java.util.ArrayList out of START_OBJECT token at [Source:
io.undertow.servlet.spec.ServletInputStreamImpl@264472bc; line: 1, column: 156] (through
reference chain:
org.keycloak.representations.idm.UserRepresentation["credentials"])
So clearly Keycloak is actually parsing this field. Am I doing something wrong with this
request or is the documentation wrong?
Right now what we've been doing to get around this is registering the user and then
doing a reset password request after, but this makes the request to our service take twice
as long. It would be great if we could reduce this to a single request.
Regards,
Scott
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user