Thank you for your suggestion and the link. Since i am making a stand alone
java app to create realms dynamically, i'm using the Keycloak admin-client
and authz-client in my code. As suggested in the document, i set Access
Type to Confidential, turned on Service Account Enabled and assign
create-realm role to service account for admin-cli client in the master
realm.
My code is pretty straight forward:
String realmName = "Realm5";
Map<String, Object> adminCliSecret = new HashMap<String, Object>();
adminCliSecret.put("secret",
"3b7122d9-1fe0-4417-9407-33818153c7fa");
Configuration adminClientConfig = new Configuration();
adminClientConfig.setAuthServerUrl("http://localhost:8180/auth");
adminClientConfig.setRealm("master");
adminClientConfig.setResource("admin-cli");
adminClientConfig.setCredentials(adminCliSecret);
AuthzClient authzClient = AuthzClient.create(adminClientConfig);
String serviceAccountAccessToken =
authzClient.obtainAccessToken("admin-cli",
"3b7122d9-1fe0-4417-9407-33818153c7fa").getToken(); //GET 401 HERE
createNewRealm(realmName, serviceAccountAccessToken);
I got 401 when trying to get the access token, seem like the AuthzClient
uses grant_type=password instead of client_credential. However, there is no
method to set grant_type for the AuthzClient.
Is the AuthzClient not supposed to be used to get access token for Service
Account ? If it's not then is there other client i can use or i have to
issue http request manually ?
Thai
On Fri, Mar 9, 2018 at 4:12 AM, Marko Strukelj <mstrukel(a)redhat.com> wrote:
Sometimes you already have an access token - your java client may
have a
custom login mechanism for example that delegates username and password
input in order to retrieve it interactively from user. In that case client
doesn't even have to know about username and password - it only receives
fresh access and refresh tokens for example. A concrete example is
Registration Client CLI which stores the tokens in a private file so it
doesn't need to ask client for username and password all the time, and can
just use a still valid access token / refresh token.
For your case you'll want to create a custom client configuration, protect
it with clientId and client secret (or signed jwt), and enable the service
account for that client.
See:
http://www.keycloak.org/docs/latest/server_admin/index.html#
_service_accounts
On Wed, Mar 7, 2018 at 8:31 PM, Nhut Thai Le <ntle(a)castortech.com> wrote:
> Hello,
>
> In the admin client i see there is an overload method to create Keycloak
> instance using a token, (Keycloak.getInstance(serverUrl, realm, clientId,
> authToken)), is this considered more secure than using the
> username+password since if i'm using the access token in the method above,
> i still need to make another call earlier with the username + password to
> get the token, either way, the username +password will be in my code repo.
>
> I think i can create an account in the master realm with role
> create-realm,
> can I use that as a service account or there is an existing service
> account
> somewhere in the master realm?
>
> I'm trying to integrate keycloak to my multitenancy application where each
> client has his own realm to config his security. My application need to
> create the realm when the client register to my app.
>
> Thai
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-user