Re: [keycloak-user] Admin API permission enpoints for token exchange

Clicking through the UI I can see that all the things I need appear under the system client "realm-management". So I need to create the following items for that client's Authorization * Scope - simple "token-exchange" * Policy - link to the client that I am using for the token exchange * Resources - a resource for each identity provider, type "Identity Provider" and scope "token-exchange" * Permission - one for each resource (idp) linking the resource, the scope, and the policy So now I need to find the Admin API for client Authorization Scopes, Policy, Resources, and Permissions Are these endpoint in the Keycloak Admin REST API documentation? Thanks, James ---- *James Mitchell* Developer e: jamesm(a)suitebox.com w: www.suitebox.com *SuiteBox |* Level 4, 8 Mahuhu Crescent, Auckland 1010, NZ On Wed, 4 Sep 2019 at 16:25, James Mitchell <jamesm(a)suitebox.com&gt; wrote: > Can I get a pointer to any admin api endpoints to enable permissions for > an identity provider to perform token exchange, and an endpoint to create > the client policy for the permission? > > Firstly, I know this would all do away if I create identity providers and > redirect to Keycloak to handle the whole oauth process... but then I think > that would break all the existing redirect urls I have provided to the > external oauth services, so I'm reluctant to do that. I'd prefer a behind > the scenes migration. > > So, my use case is that I have existing site with server code that > authenticates users with external services then grants access to the site. > I have migrated all the internal users to a Keycloak auth, and now I'm > looking at how to exchange the tokens from the external service for valid > Keycloak tokens. > > Following the steps from the documents, I can automate the following steps > * create an identity provider fro the external service, and fill in all > the endpoint and client ids > * lookup the existing user (they are guaranteed to exist) and link them to > the new IDP > * < this is the missing step for automations > > * perform the token exchange, which now works OK with my Google test user > > My problem is that I need to enable the permissions, and create the policy > to allow the IDP to do token exchange; and I have not found which API > endpoints will do that. > > Can someone point me at the right documents, or a keyword to search form > in the Admin REST API document? > > Thanks, > James > > > ---- > > *James Mitchell* > > Developer > > e: jamesm(a)suitebox.com > > w: www.suitebox.com > > > *SuiteBox |* Level 4, 8 Mahuhu Crescent, Auckland 1010, NZ > _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user