Now I see. The "authorizationSettings" is not used at all when
creating/updating a client. Reason for that we tried to decouple authz
functionality from the rest as much as we can when we introduce it.
To change authz settings you need a call to
(maybe you can check how admin console is doing this).
You can also use the Keycloak Admin Client Java API to import settings for
a client.
On Thu, Mar 9, 2017 at 8:55 AM, Sven Thoms <sven.thoms(a)gmail.com> wrote:
curl -X POST \
-H "Content-Type: application/x-www-form-urlencoded" \
-d
"client_id=admin-cli&username=admin&password=xxx&grant_type=password"
\
https://keycloak.fin.uniquedomain/auth/realms/master/protocol/openid-
connect/token | jq
I am using the access_token as bearer token in the ADMIN REST interface:
curl -v -X POST \
-H "Content-Type:application/json" \
-H 'Authorization: bearer xxxxx' \
-d '{
"clientId": "test_client",
"name": "test_client",
"rootUrl": "",
"adminUrl": "",
"surrogateAuthRequired": false,
"enabled": true,
"clientAuthenticatorType": "client-secret",
"redirectUris": [
"/*"
],
"webOrigins": [
"/*"
],
"notBefore": 0,
"bearerOnly": false,
"consentRequired": false,
"standardFlowEnabled": true,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": true,
"serviceAccountsEnabled": true,
"authorizationServicesEnabled": true,
"publicClient": false,
"frontchannelLogout": false,
"protocol": "openid-connect",
"fullScopeAllowed": true,
"authorizationSettings":
{
"allowRemoteResourceManagement": true,
"policyEnforcementMode": "ENFORCING",
"resources": [
{
"name": "Default Resource",
"uri": "/*",
"type": "urn:test_client:resources:default",
"typedScopes": []
}
],
"policies": [
{
"name": "Default Policy",
"description": "A policy that grants access only for users
within
this realm",
"type": "js",
"logic": "POSITIVE",
"decisionStrategy": "AFFIRMATIVE",
"config": {
"code": "// by default, grants any permission associated with
this policy\n$evaluation.grant();\n"
}
},
{
"name": "Default Permission",
"description": "A permission that applies to the default
resource
type",
"type": "resource",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"defaultResourceType":
"urn:test_client:resources:default",
"default": "true",
"applyPolicies": "[\"Default Policy\"]"
}
}
],
"scopes": []
}
}' \
https://keycloak.fin.uniquedomain/auth/admin/realms/myrealm/clients
The client is added correctly, and it is now a resource with the authZ
resources and permissions, but under Authorization - Settings, Remote
Resource Management is still off.
Am 09.03.2017 12:49 nachm. schrieb "Pedro Igor Silva"
<psilva(a)redhat.com>:
> What are you using to call the API ?
>
> On Thu, Mar 9, 2017 at 7:17 AM, Sven Thoms <sven.thoms(a)gmail.com> wrote:
>
>> Both on the POST and PUT for client, with authorizationservicesenabled
Set
>> to true, I cannot set
>>
>> allowRemoteResourceManagement
>>
>> to true. It is as if the Admin REST interface just ignores that
setting.
>>
>> Can anyone confirm and possibly explain, please?
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user