Everything seems to be working now. I have created a pull request:
Hopefully this will help someone else out in the future.
On Jul 11, 2015 7:33 AM, "Stephen More" <stephen.more(a)gmail.com> wrote:
I added:
"realm-management": [ "realm-admin" ],
to:
"clientRoles": {
Now I am getting:
07:25:37,948 WARN [org.jboss.resteasy.core.ExceptionHandler] (default
task-92) Failed executing GET /admin/realms/tenant1/roles:
org.jboss.resteasy.spi.UnauthorizedException: Bearer
at
org.keycloak.services.resources.admin.AdminRoot.authenticateRealmAdminRequest(AdminRoot.java:152)
at
org.keycloak.services.resources.admin.AdminRoot.getRealmsAdmin(AdminRoot.java:183)
at sun.reflect.GeneratedMethodAccessor339.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
On Wed, Jul 8, 2015 at 6:20 AM, Marek Posolda <mposolda(a)redhat.com> wrote:
> It looks like authorization issue. Your user either doesn't have
> required roles or your client is missing scopes (which means that roles are
> not propagated to accessToken).
>
> To just view roles, you need role "view-realm" of client
> "realm-management" .
>
> Marek
>
>
> On 7.7.2015 18:46, Stephen More wrote:
>
> I have tried to add:
> org.keycloak.representations.IDToken idToken =
> principal.getKeycloakSecurityContext().getIdToken();
> org.keycloak.representations.AccessToken token =
> principal.getKeycloakSecurityContext().getToken();
>
> writer.write("<br/>Access Token id: " + token.getId());
> writer.write("<br/>Access Token String: " +
> principal.getKeycloakSecurityContext().getTokenString());
> writer.write("<br/>ID Token id: " + idToken.getId());
> writer.write("<br/>ID Token String: " +
> principal.getKeycloakSecurityContext().getIdTokenString());
>
> writer.write(String.format("<br/><a
> href=\"/multitenant/%s/logout\">Logout</a>", realm));
>
> try
> {
> java.net.URL url = new java.net.URL( "
>
http://localhost:8080/auth/admin/realms/" +
> principal.getKeycloakSecurityContext().getRealm() + "/roles" );
> java.net.HttpURLConnection conn =
> (java.net.HttpURLConnection)url.openConnection();
> conn.setRequestMethod( "GET" );
> conn.setRequestProperty("Authorization", "Bearer
" +
> principal.getKeycloakSecurityContext().getTokenString());
> java.io.BufferedReader in = new java.io.BufferedReader(
> new java.io.InputStreamReader( conn.getInputStream()));
> String line;
> while ((line = in.readLine()) != null)
> {
> writer.write( line );
> }
> in.close();
> }
> catch( Exception e )
> {
> e.printStackTrace();
> }
>
> to
>
keycloak-demo-1.3.1.Final/examples/multi-tenant/src/main/java/org/keycloak/example/multitenant/boundary/ProtectedServlet.java
>
> But I am getting an error:
> 12:28:28,317 WARN [org.jboss.resteasy.core.ExceptionHandler] (default
> task-16) Failed executing GET /admin/realms/tenant1/roles:
> org.keycloak.services.ForbiddenException
>
>
> In stepping through the AdminClient of the admin-access-app I have found
> an example bearer token was 1157 characters long.
>
> principal.getKeycloakSecurityContext().getIdTokenString() turned out to
> be 645 characters long.
>
> principal.getKeycloakSecurityContext().getTokenString() turned out to be
> 865 characters long.
>
>
> What is it that I am missing ?
>
> On Tue, Jul 7, 2015 at 10:08 AM, Bill Burke <bburke(a)redhat.com> wrote:
>
>> The access token should already be available.
>>
>> On 7/7/2015 10:01 AM, Stephen More wrote:
>> > Or perhaps a better question would be: Once a user is already logged
>> > into keycloak, how can a
>> > org.keycloak.representations.AccessTokenResponse without providing a
>> > password a second time ?
>> >
>> > On Sun, Jul 5, 2015 at 12:00 PM, Stephen More <stephen.more(a)gmail.com
>> > <mailto:stephen.more@gmail.com>> wrote:
>> >
>> > How could I extend the multi-tenant example (
>> >
https://github.com/keycloak/keycloak/tree/master/examples/
>> > <
>>
https://github.com/keycloak/keycloak/tree/master/examples/multi-tenant
>> >multi-tenant
>> > ) to make a Rest admin api call back to keycloak using java ?
>> >
>> > I think this would be a helpful example in upcoming releases.
>> >
>> > Thanks
>> >
>> >
>> >
>> >
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user(a)lists.jboss.org
>> >
https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>>
http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
> _______________________________________________
> keycloak-user mailing
listkeycloak-user@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>