There is a long term plan to create an Admin REST API v2 which would be
much more ergonomic, and address this specific case as well. But it's not
yet on our schedule.
On Mon, May 15, 2017 at 4:59 PM, Scott Finlay <scott.finlay(a)sixt.com> wrote:
That's what we're doing already at the moment, but it's
not really ideal.
Having to make two requests to the admin API in order to register a user
means the whole process takes twice as long (roughly 300ms). It's not an
absolutely critical issue, but still not really nice, especially if we have
to do a batch import from a legacy system for example.
If it's intentionally this way and there's no plan to change it then the
documentation should be changed because it says you can provide a
credential list (which you technically can, but that's very misleading).
------------------------------
*From:* Marko Strukelj <mstrukel(a)redhat.com>
*Sent:* Monday, May 15, 2017 4:50:12 PM
*To:* Scott Finlay
*Cc:* Alex Berg; keycloak-user(a)lists.jboss.org
*Subject:* Re: [keycloak-user] Can't set password when registering a user
You need to invoke resetPassword on UserResource, after creating a new
user :
https://github.com/keycloak/keycloak/blob/3.1.0.Final/
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/
testsuite/admin/ApiUtil.java#L153-L159
On Mon, May 15, 2017 at 12:01 PM, Scott Finlay <scott.finlay(a)sixt.com>
wrote:
> Diving into the code, I see this, which seems to be the endpoint for
> creating a user:
>
>
>
https://github.com/keycloak/keycloak/blob/2.5.x/services/src
> /main/java/org/keycloak/services/resources/admin/UsersResource.java#L207
>
> This then calls:
>
https://github.com/keycloak/keycloak/blob/2.5.x/services/src
> /main/java/org/keycloak/services/resources/admin/UsersResource.java#L244
>
> That seems to just set the basic user data like name, email, enabled,
> etc. Then it sets the "required actions", and then the custom attributes.
I
> see nothing regarding credentials there.
>
>
> Is this just hidden away somewhere else, or is it just really missing
> from here?
>
> ________________________________
> From: Scott Finlay
> Sent: Monday, May 15, 2017 11:14:26 AM
> To: Alex Berg
> Cc: keycloak-user(a)lists.jboss.org
> Subject: Re: [keycloak-user] Can't set password when registering a user
>
>
> Hmm, that request body doesn't look very different from my example. I've
> tried now removing the additional fields
>
> I had and adding the few you have and I still get exactly the same
> outcome: when I try impersonating the user in
>
> the Keycloak admin panel he has no password set (but he does when I
> explicitly call the reset-password endpoint).
>
>
> Is there some setting/role/permission I'm missing maybe? I'm using
> version 2.5.5.Final.
>
> ________________________________
> From: Alex Berg <chexxor(a)gmail.com>
> Sent: Friday, May 12, 2017 6:09:59 PM
> To: Scott Finlay
> Cc: keycloak-user(a)lists.jboss.org
> Subject: Re: [keycloak-user] Can't set password when registering a user
>
> I do something like that, and it works for me.
>
> The content of my XHR is JSON of this:
>
> { credentials : [
> { type: "password"
> , temporary: false
> , value: regBody.password
> }
> ]
> , email: regBody.email
> , username: regBody.email
> , emailVerified: false
> , enabled: true
> , requiredActions: [ "VERIFY_EMAIL" ]
> }
>
> The created user's ID is available on the "location" response header.
>
> On Fri, May 12, 2017 at 2:27 AM, Scott Finlay <scott.finlay(a)sixt.com
> <mailto:scott.finlay@sixt.com>> wrote:
> Hi,
>
> According to the Keycloak admin API documentation:
>
http://www.keycloak.org/docs-api/2.5/rest-api/index.html#_cr
> eate_a_new_user
> ->
http://www.keycloak.org/docs-api/2.5/rest-api/index.html#_us
> errepresentation
> ->
http://www.keycloak.org/docs-api/2.5/rest-api/index.html#_cr
> edentialrepresentation
>
> We should be able to provide credentials when creating a new user, but
> when I provide credentials it doesn't seem to set the password for the new
> user. Here is what my request looks like:
>
> POST /auth/admin/realms/myrealm/users/
>
{"enabled":true,"username":"blah@blop.com<mailto:blah@blop.com
>
>","email":"blah@blop.com<mailto:blah@blop.com>","firstNam
>
e":"Blah","lastName":"Blop","attributes":{"userId":["1234"]
>
},"credentials":[{"type":"password","temporary":false,"
> value":"secr$tP4ssword"}]}
>
> Just as an experiment, I tried passing a single "credential" instead of
> an array of credentials and I got this error back:
>
> internal server error;KeyCloak HTTP Error Response [400]:
> com.fasterxml.jackson.databind.JsonMappingException: Can not deserialize
> instance of java.util.ArrayList out of START_OBJECT token at [Source:
> io.undertow.servlet.spec.ServletInputStreamImpl@264472bc; line: 1,
> column: 156] (through reference chain: org.keycloak.representations.i
> dm.UserRepresentation["credentials"])
>
> So clearly Keycloak is actually parsing this field. Am I doing something
> wrong with this request or is the documentation wrong?
>
> Right now what we've been doing to get around this is registering the
> user and then doing a reset password request after, but this makes the
> request to our service take twice as long. It would be great if we could
> reduce this to a single request.
>
> Regards,
> Scott
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>