On Wed, Mar 5, 2014 at 2:29 PM, <keycloak-user-request@lists.jboss.org> wrote:

Send keycloak-user mailing list submissions to
keycloak-user@lists.jboss.org

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.jboss.org/mailman/listinfo/keycloak-user
or, via email, send a message with subject or body 'help' to
keycloak-user-request@lists.jboss.org

You can reach the person managing the list at
keycloak-user-owner@lists.jboss.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of keycloak-user digest..."

Today's Topics:

1. Openshift installation (Davide Ungari)
2. How to access realms/{realm}/users/{user} with Application
(Dean Peterson)
3. Re: How to access realms/{realm}/users/{user} with
Application (Bill Burke)
4. Re: How to access realms/{realm}/users/{user} with
Application (Stian Thorgersen)
5. Re: How to access realms/{realm}/users/{user} with
Application (Dean Peterson)

----------------------------------------------------------------------

Message: 1
Date: Sun, 2 Mar 2014 06:20:15 -0500 (EST)
From: Davide Ungari <davide@billdrawer.com>
Subject: [keycloak-user] Openshift installation
To: keycloak user list <keycloak-user@lists.jboss.org>
Message-ID:
<155451129.27399.1393759215776.open-xchange@app1.ox.registrar-servers.com>

Content-Type: text/plain; charset="utf-8"

At the end I got it!
I followed the instructions of section 4.1 "Create Keycloak instance with the
web tool" instead of the command-line tool.

Davide Ungari, Founder
www.billdrawer.com | davide@billdrawer.com
Milan, IT
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140302/7bc0c0a7/attachment-0001.html

------------------------------

Message: 2
Date: Tue, 4 Mar 2014 13:15:31 -0600
From: Dean Peterson <peterson.dean@gmail.com>
Subject: [keycloak-user] How to access realms/{realm}/users/{user}
with Application
To: keycloak-user@lists.jboss.org
Message-ID:
<CAFGzvPkrgJtAq=6jAJOsa9x8cw4Boo3PEO3nDEPAz8eSUa6AOg@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

Hello,

I am trying to find the best way to access the UsersResource.java Rest
services outside the keycloak admin application to get a user's
information. How do I make a request using just the client's credentials?

I currently use something like this but I get a 401 because I am using a
user's oauth token and they only have user privileges:
SkeletonKeySession session = (SkeletonKeySession) request
.getAttribute(SkeletonKeySession.class.getName());
ResteasyClient client = new ResteasyClientBuilder()
.trustStore(session.getMetadata().getTruststore())
.hostnameVerification(

ResteasyClientBuilder.HostnameVerificationPolicy.ANY)
.build();

String username = request.getRemoteUser();

Profile profile = null;

try {

Response response = client
.target("
http://server:8080/auth/rest/admin/realms/myrealm/users/")
.path(username)
.request()
.header(HttpHeaders.AUTHORIZATION,
"Bearer " + session.getTokenString()).get();

// Get the existing entry if there is one. Otherwise, just
return
// the regular
// entity retrieved from the remote system.
try {
profile = profileRepository
.findByRegistrationId(member.getId());

} catch (NoResultException e) {
// ignore
}

} finally {
client.close();
}

Is there a way for the application to make a request directly as an admin
without giving the user admin privileges?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140304/061695ca/attachment-0001.html

------------------------------

Message: 3
Date: Tue, 04 Mar 2014 15:46:04 -0500
From: Bill Burke <bburke@redhat.com>
Subject: Re: [keycloak-user] How to access realms/{realm}/users/{user}
with Application
To: keycloak-user@lists.jboss.org
Message-ID: <53163B8C.3060605@redhat.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

On 3/4/2014 2:15 PM, Dean Peterson wrote:
> Hello,
>
> I am trying to find the best way to access the UsersResource.java Rest
> services outside the keycloak admin application to get a user's
> information. How do I make a request using just the client's credentials?
>

You just want basic information right? name, email, etc.? Next release
(March 13th) we'll have OpenID Connect support. SkeletonKeysession
(renamed to KeycloakSecurityContext) will have a reference to an IDToken
which can be populated with various user information (claims). Allowed
claims are specified per application/oauth client.

You can build and use this right now. View the
preconfigured/customer-portal examples to see how its being done right

If you don't want to build/run from master you can do a POST to
/auth/rest/realms/keycloak-admin/tokens/grants/access

URL form encoded parameters of:

username=admin
password=admin-password

This will return an access token which you can use to invoke on the
admin REST API. *NOTE* we're chaning this particular REST API next
release too :(

> I currently use something like this but I get a 401 because I am using a
> user's oauth token and they only have user privileges:
> SkeletonKeySession session = (SkeletonKeySession) request
> .getAttribute(SkeletonKeySession.class.getName());
> ResteasyClient client = new ResteasyClientBuilder()
> .trustStore(session.getMetadata().getTruststore())
> .hostnameVerification(
>
> ResteasyClientBuilder.HostnameVerificationPolicy.ANY)
> .build();
>
> String username = request.getRemoteUser();
>
> Profile profile = null;
>
> try {
>
> Response response = client
>
> .target("http://server:8080/auth/rest/admin/realms/myrealm/users/")
> .path(username)
> .request()
> .header(HttpHeaders.AUTHORIZATION,
> "Bearer " + session.getTokenString()).get();
>
> // Get the existing entry if there is one. Otherwise, just
> return
> // the regular
> // entity retrieved from the remote system.
> try {
> profile = profileRepository
> .findByRegistrationId(member.getId());
>
> } catch (NoResultException e) {
> // ignore
> }
>
> } finally {
> client.close();
> }
>
> Is there a way for the application to make a request directly as an
> admin without giving the user admin privileges?
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user@lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

------------------------------

Message: 4
Date: Wed, 5 Mar 2014 04:09:35 -0500 (EST)
From: Stian Thorgersen <stian@redhat.com>
Subject: Re: [keycloak-user] How to access realms/{realm}/users/{user}
with Application
To: Dean Peterson <peterson.dean@gmail.com>
Cc: keycloak-user@lists.jboss.org
Message-ID:
<1739218212.20951754.1394010575408.JavaMail.zimbra@redhat.com>
Content-Type: text/plain; charset=utf-8

There's also a Keycloak specific mechanism for accessing the account of the user associated with the token.

To do this open the scope mappings for your app/client, and select 'account' in the application roles, select 'view-profile' and click the right-arrow. This will allow your app/client to view the profile of the current user.

Then you can make a request (with bearer token) to:

/auth/rest/realms/myrealm/account

In the future we'll add support to do all account specific things through these REST endpoints to support all operations provided by the account management application.

----- Original Message -----
> From: "Dean Peterson" <peterson.dean@gmail.com>
> To: keycloak-user@lists.jboss.org
> Sent: Tuesday, 4 March, 2014 7:15:31 PM
> Subject: [keycloak-user] How to access realms/{realm}/users/{user} with Application
>
> Hello,
>
> I am trying to find the best way to access the UsersResource.java Rest
> services outside the keycloak admin application to get a user's information.
> How do I make a request using just the client's credentials?
>
> I currently use something like this but I get a 401 because I am using a
> user's oauth token and they only have user privileges:
> SkeletonKeySession session = (SkeletonKeySession) request
> .getAttribute(SkeletonKeySession.class.getName());
> ResteasyClient client = new ResteasyClientBuilder()
> .trustStore(session.getMetadata().getTruststore())
> .hostnameVerification(
> ResteasyClientBuilder.HostnameVerificationPolicy.ANY)
> .build();
>
> String username = request.getRemoteUser();
>
> Profile profile = null;
>
> try {
>
> Response response = client
> .target(" http://server:8080/auth/rest/admin/realms/myrealm/users/ ")
> .path(username)
> .request()
> .header(HttpHeaders.AUTHORIZATION,
> "Bearer " + session.getTokenString()).get();
>
> // Get the existing entry if there is one. Otherwise, just return
> // the regular
> // entity retrieved from the remote system.
> try {
> profile = profileRepository
> .findByRegistrationId(member.getId());
>
> } catch (NoResultException e) {
> // ignore
> }
>
> } finally {
> client.close();
> }
>
> Is there a way for the application to make a request directly as an admin
> without giving the user admin privileges?
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user@lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

------------------------------

Message: 5
Date: Wed, 5 Mar 2014 14:28:53 -0600
From: Dean Peterson <peterson.dean@gmail.com>
Subject: Re: [keycloak-user] How to access realms/{realm}/users/{user}
with Application
To: Stian Thorgersen <stian@redhat.com>
Cc: keycloak-user@lists.jboss.org
Message-ID:
<CAFGzvPkYz5ZVwzJ+WmDoirWn=W3fW3kGV7GRvQxCCpeVC2ULAw@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

Thank you. I tried what you said. I am able access that REST service on
the Keycloak server but it returns an AccountService object. Actually, I
get a 406 error response on my end. I think it is because I did not have
the keycloak-services dependency in my application's pom. However, when I
add it and I try to start the server, I get the error: Could not find
constructor for class: org.keycloak.services.resources.RealmsResource.
Should I make my own local version of AccountService and not add
keycloak-services to my application? What is the best approach? Any ideas
why I might be getting a 406 error?

SkeletonKeySession session = (SkeletonKeySession) request
.getAttribute(SkeletonKeySession.class.getName());
ResteasyClient client = new ResteasyClientBuilder()
.trustStore(session.getMetadata().getTruststore())
.hostnameVerification(

ResteasyClientBuilder.HostnameVerificationPolicy.ANY)
.build();

String username = request.getRemoteUser();

Profile profile = null;

try {

Response response = client
.target("
http://server:8080/auth/rest/realms/myrealm/account")
.request()
.header(HttpHeaders.AUTHORIZATION,
"Bearer " + session.getTokenString()).get();

.
.
.

On Wed, Mar 5, 2014 at 3:09 AM, Stian Thorgersen <stian@redhat.com> wrote:

> There's also a Keycloak specific mechanism for accessing the account of
> the user associated with the token.
>
> To do this open the scope mappings for your app/client, and select
> 'account' in the application roles, select 'view-profile' and click the
> right-arrow. This will allow your app/client to view the profile of the
> current user.
>
> Then you can make a request (with bearer token) to:
>
> /auth/rest/realms/myrealm/account
>
> In the future we'll add support to do all account specific things through
> these REST endpoints to support all operations provided by the account
> management application.
>
> ----- Original Message -----
> > From: "Dean Peterson" <peterson.dean@gmail.com>
> > To: keycloak-user@lists.jboss.org
> > Sent: Tuesday, 4 March, 2014 7:15:31 PM
> > Subject: [keycloak-user] How to access realms/{realm}/users/{user} with
> Application
> >
> > Hello,
> >
> > I am trying to find the best way to access the UsersResource.java Rest
> > services outside the keycloak admin application to get a user's
> information.
> > How do I make a request using just the client's credentials?
> >
> > I currently use something like this but I get a 401 because I am using a
> > user's oauth token and they only have user privileges:
> > SkeletonKeySession session = (SkeletonKeySession) request
> > .getAttribute(SkeletonKeySession.class.getName());
> > ResteasyClient client = new ResteasyClientBuilder()
> > .trustStore(session.getMetadata().getTruststore())
> > .hostnameVerification(
> > ResteasyClientBuilder.HostnameVerificationPolicy.ANY)
> > .build();
> >
> > String username = request.getRemoteUser();
> >
> > Profile profile = null;
> >
> > try {
> >
> > Response response = client
> > .target(" http://server:8080/auth/rest/admin/realms/myrealm/users/ ")
> > .path(username)
> > .request()
> > .header(HttpHeaders.AUTHORIZATION,
> > "Bearer " + session.getTokenString()).get();
> >
> > // Get the existing entry if there is one. Otherwise, just return
> > // the regular
> > // entity retrieved from the remote system.
> > try {
> > profile = profileRepository
> > .findByRegistrationId(member.getId());
> >
> > } catch (NoResultException e) {
> > // ignore
> > }
> >
> > } finally {
> > client.close();
> > }
> >
> > Is there a way for the application to make a request directly as an admin
> > without giving the user admin privileges?
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user@lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140305/c27824e7/attachment.html

------------------------------

_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

End of keycloak-user Digest, Vol 3, Issue 2
*******************************************