You're not using AdminClient API but AuthorizationClient API which is a
different API.
Using AdminClient API is as simple as:
Keycloak keycloak = Keycloak.getInstance(
keycloakBaseUrl,
"master",
username,
password,
"admin-cli");
On Fri, Mar 9, 2018 at 6:07 PM, Nhut Thai Le <ntle(a)castortech.com> wrote:
Thank you for your suggestion and the link. Since i am making a
stand
alone java app to create realms dynamically, i'm using the Keycloak
admin-client and authz-client in my code. As suggested in the document, i
set Access Type to Confidential, turned on Service Account Enabled and
assign create-realm role to service account for admin-cli client in the
master realm.
My code is pretty straight forward:
String realmName = "Realm5";
Map<String, Object> adminCliSecret = new HashMap<String, Object>();
adminCliSecret.put("secret",
"3b7122d9-1fe0-4417-9407-33818153c7fa");
Configuration adminClientConfig = new Configuration();
adminClientConfig.setAuthServerUrl("http://localhost:8180/auth");
adminClientConfig.setRealm("master");
adminClientConfig.setResource("admin-cli");
adminClientConfig.setCredentials(adminCliSecret);
AuthzClient authzClient = AuthzClient.create(adminClientConfig);
String serviceAccountAccessToken =
authzClient.obtainAccessToken("admin-cli",
"3b7122d9-1fe0-4417-9407-33818153c7fa").getToken(); //GET 401 HERE
createNewRealm(realmName, serviceAccountAccessToken);
I got 401 when trying to get the access token, seem like the AuthzClient
uses grant_type=password instead of client_credential. However, there is no
method to set grant_type for the AuthzClient.
Is the AuthzClient not supposed to be used to get access token for Service
Account ? If it's not then is there other client i can use or i have to
issue http request manually ?
Thai
On Fri, Mar 9, 2018 at 4:12 AM, Marko Strukelj <mstrukel(a)redhat.com>
wrote:
> Sometimes you already have an access token - your java client may have a
> custom login mechanism for example that delegates username and password
> input in order to retrieve it interactively from user. In that case client
> doesn't even have to know about username and password - it only receives
> fresh access and refresh tokens for example. A concrete example is
> Registration Client CLI which stores the tokens in a private file so it
> doesn't need to ask client for username and password all the time, and can
> just use a still valid access token / refresh token.
>
> For your case you'll want to create a custom client configuration,
> protect it with clientId and client secret (or signed jwt), and enable the
> service account for that client.
>
> See:
http://www.keycloak.org/docs/latest/server_admin/index.html#
> _service_accounts
>
>
>
> On Wed, Mar 7, 2018 at 8:31 PM, Nhut Thai Le <ntle(a)castortech.com> wrote:
>
>> Hello,
>>
>> In the admin client i see there is an overload method to create Keycloak
>> instance using a token, (Keycloak.getInstance(serverUrl, realm,
>> clientId,
>> authToken)), is this considered more secure than using the
>> username+password since if i'm using the access token in the method
>> above,
>> i still need to make another call earlier with the username + password to
>> get the token, either way, the username +password will be in my code
>> repo.
>>
>> I think i can create an account in the master realm with role
>> create-realm,
>> can I use that as a service account or there is an existing service
>> account
>> somewhere in the master realm?
>>
>> I'm trying to integrate keycloak to my multitenancy application where
>> each
>> client has his own realm to config his security. My application need to
>> create the realm when the client register to my app.
>>
>> Thai
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>