Re: [keycloak-user] Service Account enable by default for clients, how?

Hello Sebastien Your PUT to the client registration endpoint made clear to me why I was not able to set service accounts to enabled in the oidc endpoint request at https://host/auth/realms/myrealm/clients-registrations/openid-connect <https://host/auth/realms/myrealm/clients-registrations/openid-connect> <https://host/auth/realms/myrealm/clients-registrations/openid-connect>As I see it, it has to do with provider type oidc vs. default with different objects behind it https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7d cfccb6ba2c39d10143b920/core/src/main/java/org/keycloak/ representations/oidc/OIDCClientRepresentation.java <https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39d... keycloak/OIDCClientRepresentation.java at 1aeec2a83c6677cd7dcfccb6ba2c39d10143b920 · keycloak/keycloak · GitHub <https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39d... github.com keycloak - Open Source Identity and Access Management For Modern Applications and Services vs. https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7d cfccb6ba2c39d10143b920/core/src/main/java/org/keycloak/ representations/idm/ClientRepresentation.java <https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39d... keycloak/ClientRepresentation.java at 1aeec2a83c6677cd7dcfccb6ba2c39d10143b920 · keycloak/keycloak · GitHub <https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39d... github.com keycloak - Open Source Identity and Access Management For Modern Applications and Services After I POST to https://host/auth/realms/myrealm/clients-registrations/op enid-connect a simple { "client_name": "aclient", "redirect_uris" : ["https://clienturl/callback"] }' and then use the registration access token returned to update / PUT the client (under clients-registrations/default/... I get a 500 server error, but the service account is enabled correctly for that client. Here is my verbose CURL output curl -v -X PUT \ > -d '{ "clientId": "dynamic_client_id_returned_from_oidc", "serviceAccountsEnabled": true }' \ > -H "Content-Type:application/json" \ > -H "Authorization: bearer registration_access_token_from_oidc" \ > https://host/auth/realms/myrealm/clients-registrations/def ault/dynamic_client_id_returned_from_oidc * Trying 127.0.0.1... * Connected to localhost (127.0.0.1) port 443 (#0) * TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 * Server certificate: xxx * Server certificate: xxx > PUT /auth/realms/myrealm/clients-registrations/default/dynamic_client_id_returned_from_oidc HTTP/1.1 > Host: localhost > User-Agent: curl/7.43.0 > Accept: */* > Content-Type:application/json > Authorization: bearer registration_access_token_from_oidc > Content-Length: 86 > * upload completely sent off: 86 out of 86 bytes < HTTP/1.1 500 Internal Server Error < Connection: keep-alive < X-Powered-By: Undertow/1 < Server: WildFly/10 < Content-Type: text/html < Content-Length: 155 < Date: Wed, 11 Jan 2017 11:24:02 GMT < * Connection #0 to host localhost left intact Could not find MessageBodyWriter for response object of type: org.keycloak.representations.idm.ClientRepresentation of media type: application/octet-stream Am 11.01.2017 9:12 vorm. schrieb "Sebastien Blanc" <sblanc(a)redhat.com&gt;: > Yes I was talking about the registration_endpoint , I just did the test > with something like : > > curl -X PUT \ > -d '{ "clientId": "testclient", "serviceAccountsEnabled": true }' \ > -H "Content-Type:application/json" \ > -H "Authorization: bearer my_registration_access_token" \ > http://localhost:8080/auth/realms/myrealm/clients-registrati > ons/default/testclient > > My Service Accounts for this client is then enabled but Keycloak fails to > returns a response for this PUT request. So I'm not able to get the new > registration access token. > > Could you try this request and if it fails for you as well I will open a > ticket ? > > Seb > > > > On Wed, Jan 11, 2017 at 8:16 AM, Sven Thoms <sven.thoms(a)gmail.com&gt; wrote: > >> Hello Sebastien >> >> Are you talking about the Admin REST endpoint or the >> registration_endpoint defined at >> /auth/reales/[realmname]/.well-known/openid-configuration? >> >> I am trying to submit a registration request via registration_endpoint >> and submit a field enabling the service account. >> >> According to the openid connect dynamic client registration >> documentation at openid.net, the request payload is non-normative, I >> am just not able to enable service account that way. >> >> Am 10.01.2017 10:32 vorm. schrieb "Sebastien Blanc" <sblanc(a)redhat.com&gt;: >> >>> I haven't tried it but when registering the client, in the payload, the >>> ClientRepresentation, there is a serviceAccountsEnabled field , so maybe >>> "service-accounts-enabled : true will do the trick ? >>> >>> On Tue, Jan 10, 2017 at 10:17 AM, Sven Thoms <sven.thoms(a)gmail.com&gt; >>> wrote: >>> >>>> Is it possible via a setting to automatically enable clients registered >>>> dynamically via the well-known registration endpoint and registration >>>> access token? My current approach is to iterate over all clients post >>>> - >>>> creation and set serviceaccountsEnabled to true. I need a more prompt >>>> and >>>> real-time way >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user(a)lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >