Hi Michal and Tony,
I think my confusion lays in the fact that I have an adminuser which is defined in the
master realm because that was there during keycloak setup. Then I added a working realm
and working client app. And I added users to the working realm and mapped them to a realm
based role.
And I do that by logging on to keycloak via a local browser, I have to use the admin user
defined in master realm. And then I can create users in the working realm and add them to
the realm based role.
And all of that works. When I browse to a protected resource in my Spring app, I get
redirected to keycloak login and after a successful login with an ordinary user, get sent
to that resource. Success.
So I assumed the same approach would work when using the java api. Builder object based on
the admin user, saying that I would use the working realm and the client id. Because I
want those new users to be added to the working realm, not the master realm.
But obviously this does not work because the permissions are not right, hence the 401
error.
I have been basing my code on
https://gist.github.com/thomasdarimont/c4e739c5a319cf78a4cff3b87173a84b.
As an aside, I am finding that that keycloak does not quite add up. For instance, I tried
to use the self register feature in KC. They works in that it adds a user to the working
realm but the user is unusable because it is not associated with a role. The answer could
be to have a default role for new users. Or it could be to call some SB app code that
added the role. Except that there is no post registration feature to redirect to a end
point to run this code.
And with the api, the Builder object can have completely the wrong information (non
existent user, wrong password) and no exception is thrown. I realise that permissions can
be caught before they are used (eg a user can look but not create) so it is only when a
non permissible action is called that an exception is called. But the wrong
authentication?
So does the api have the same workflow as the browser admin?
Regards,
John
------ Original Message ------
From: "Michal Hajas" <mhajas(a)redhat.com>
To: "John Norris" <johnnorris-10(a)outlook.com>
Cc: "keycloak-user(a)lists.jboss.org" <keycloak-user(a)lists.jboss.org>
Sent: 06/12/2019 09:33:41
Subject: Re: [keycloak-user] create user via java api
Have you changed clientId to some from master realm? In testsuite we are using
"admin-cli" client.
Michal
------ Original Message ------
From: "Tony Harris"
<Tony.Harris@oneadvanced.com<mailto:Tony.Harris@oneadvanced.com>>
To: "John Norris"
<johnnorris-10@outlook.com<mailto:johnnorris-10@outlook.com>>
Sent: 06/12/2019 09:23:54
Subject: RE: Re[2]: create user via java api
John, I will tell you what I did when I was playing in this very area. We have an app that
allows some users to manager users and few other bits and pieces in the realm.
We created a confidential client in the realm we want users to be able to manage. We did
not assign realm management rights to any normal users. Instead we used Spring Security to
restrict access to functions that allow user creation/maintence by saying users with role
X can do this. Then we used the RestTemplate to obtain a server side bearer token for the
service account that we enabled when we created the confidential client, the service
account was assigned the realm management rights and can do the required realm management
functions within out SpringBoot application.
For us this meant that if any single normal user account was compromised or that user
tried to gain access to the keycloak console, they could not be used to manage the
realm.
Back when we did want individual users able to manage a realm the user was created in that
realm and given the rights based on the relam-management client roles.