Send keycloak-user mailing list submissions to keycloak-user(a)lists.jboss.org To subscribe or unsubscribe via the World Wide Web, visit https://lists.jboss.org/mailman/listinfo/keycloak-user or, via email, send a message with subject or body 'help' to keycloak-user-request(a)lists.jboss.org You can reach the person managing the list at keycloak-user-owner(a)lists.jboss.org When replying, please edit your Subject line so it is more specific than "Re: Contents of keycloak-user digest..." Today's Topics: 1. Openshift installation (Davide Ungari) 2. How to access realms/{realm}/users/{user} with Application (Dean Peterson) 3. Re: How to access realms/{realm}/users/{user} with Application (Bill Burke) 4. Re: How to access realms/{realm}/users/{user} with Application (Stian Thorgersen) 5. Re: How to access realms/{realm}/users/{user} with Application (Dean Peterson) ---------------------------------------------------------------------- Message: 1 Date: Sun, 2 Mar 2014 06:20:15 -0500 (EST) From: Davide Ungari <davide(a)billdrawer.com&gt; Subject: [keycloak-user] Openshift installation To: keycloak user list <keycloak-user(a)lists.jboss.org&gt; Message-ID: < 155451129.27399.1393759215776.open-xchange(a)app1.ox.registrar-servers.com&gt; Content-Type: text/plain; charset="utf-8" At the end I got it! I followed the instructions of section 4.1 "Create Keycloak instance with the web tool" instead of the command-line tool. Davide Ungari, Founder www.billdrawer.com | davide(a)billdrawer.com Milan, IT -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140302/7bc0c... ------------------------------ Message: 2 Date: Tue, 4 Mar 2014 13:15:31 -0600 From: Dean Peterson <peterson.dean(a)gmail.com&gt; Subject: [keycloak-user] How to access realms/{realm}/users/{user} with Application To: keycloak-user(a)lists.jboss.org Message-ID: <CAFGzvPkrgJtAq= 6jAJOsa9x8cw4Boo3PEO3nDEPAz8eSUa6AOg(a)mail.gmail.com&gt; Content-Type: text/plain; charset="iso-8859-1" Hello, I am trying to find the best way to access the UsersResource.java Rest services outside the keycloak admin application to get a user's information. How do I make a request using just the client's credentials? I currently use something like this but I get a 401 because I am using a user's oauth token and they only have user privileges: SkeletonKeySession session = (SkeletonKeySession) request .getAttribute(SkeletonKeySession.class.getName()); ResteasyClient client = new ResteasyClientBuilder() .trustStore(session.getMetadata().getTruststore()) .hostnameVerification( ResteasyClientBuilder.HostnameVerificationPolicy.ANY) .build(); String username = request.getRemoteUser(); Profile profile = null; try { Response response = client .target(" http://server:8080/auth/rest/admin/realms/myrealm/users/") .path(username) .request() .header(HttpHeaders.AUTHORIZATION, "Bearer " + session.getTokenString()).get(); // Get the existing entry if there is one. Otherwise, just return // the regular // entity retrieved from the remote system. try { profile = profileRepository .findByRegistrationId(member.getId()); } catch (NoResultException e) { // ignore } } finally { client.close(); } Is there a way for the application to make a request directly as an admin without giving the user admin privileges? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140304/06169... ------------------------------ Message: 3 Date: Tue, 04 Mar 2014 15:46:04 -0500 From: Bill Burke <bburke(a)redhat.com&gt; Subject: Re: [keycloak-user] How to access realms/{realm}/users/{user} with Application To: keycloak-user(a)lists.jboss.org Message-ID: <53163B8C.3060605(a)redhat.com&gt; Content-Type: text/plain; charset=ISO-8859-1; format=flowed On 3/4/2014 2:15 PM, Dean Peterson wrote: > Hello, > > I am trying to find the best way to access the UsersResource.java Rest > services outside the keycloak admin application to get a user's > information. How do I make a request using just the client's credentials? > You just want basic information right? name, email, etc.? Next release (March 13th) we'll have OpenID Connect support. SkeletonKeysession (renamed to KeycloakSecurityContext) will have a reference to an IDToken which can be populated with various user information (claims). Allowed claims are specified per application/oauth client. You can build and use this right now. View the preconfigured/customer-portal examples to see how its being done right If you don't want to build/run from master you can do a POST to /auth/rest/realms/keycloak-admin/tokens/grants/access URL form encoded parameters of: username=admin password=admin-password This will return an access token which you can use to invoke on the admin REST API. *NOTE* we're chaning this particular REST API next release too :( > I currently use something like this but I get a 401 because I am using a > user's oauth token and they only have user privileges: > SkeletonKeySession session = (SkeletonKeySession) request > .getAttribute(SkeletonKeySession.class.getName()); > ResteasyClient client = new ResteasyClientBuilder() > .trustStore(session.getMetadata().getTruststore()) > .hostnameVerification( > > ResteasyClientBuilder.HostnameVerificationPolicy.ANY) > .build(); > > String username = request.getRemoteUser(); > > Profile profile = null; > > try { > > Response response = client > > .target("http://server:8080/auth/rest/admin/realms/myrealm/users/") > .path(username) > .request() > .header(HttpHeaders.AUTHORIZATION, > "Bearer " + session.getTokenString()).get(); > > // Get the existing entry if there is one. Otherwise, just > return > // the regular > // entity retrieved from the remote system. > try { > profile = profileRepository > .findByRegistrationId(member.getId()); > > } catch (NoResultException e) { > // ignore > } > > } finally { > client.close(); > } > > Is there a way for the application to make a request directly as an > admin without giving the user admin privileges? > > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com ------------------------------ Message: 4 Date: Wed, 5 Mar 2014 04:09:35 -0500 (EST) From: Stian Thorgersen <stian(a)redhat.com&gt; Subject: Re: [keycloak-user] How to access realms/{realm}/users/{user} with Application To: Dean Peterson <peterson.dean(a)gmail.com&gt; Cc: keycloak-user(a)lists.jboss.org Message-ID: <1739218212.20951754.1394010575408.JavaMail.zimbra(a)redhat.com&gt; Content-Type: text/plain; charset=utf-8 There's also a Keycloak specific mechanism for accessing the account of the user associated with the token. To do this open the scope mappings for your app/client, and select 'account' in the application roles, select 'view-profile' and click the right-arrow. This will allow your app/client to view the profile of the current user. Then you can make a request (with bearer token) to: /auth/rest/realms/myrealm/account In the future we'll add support to do all account specific things through these REST endpoints to support all operations provided by the account management application. ----- Original Message ----- > From: "Dean Peterson" <peterson.dean(a)gmail.com&gt; > To: keycloak-user(a)lists.jboss.org > Sent: Tuesday, 4 March, 2014 7:15:31 PM > Subject: [keycloak-user] How to access realms/{realm}/users/{user} with Application > > Hello, > > I am trying to find the best way to access the UsersResource.java Rest > services outside the keycloak admin application to get a user's information. > How do I make a request using just the client's credentials? > > I currently use something like this but I get a 401 because I am using a > user's oauth token and they only have user privileges: > SkeletonKeySession session = (SkeletonKeySession) request > .getAttribute(SkeletonKeySession.class.getName()); > ResteasyClient client = new ResteasyClientBuilder() > .trustStore(session.getMetadata().getTruststore()) > .hostnameVerification( > ResteasyClientBuilder.HostnameVerificationPolicy.ANY) > .build(); > > String username = request.getRemoteUser(); > > Profile profile = null; > > try { > > Response response = client > .target(" http://server:8080/auth/rest/admin/realms/myrealm/users/ ") > .path(username) > .request() > .header(HttpHeaders.AUTHORIZATION, > "Bearer " + session.getTokenString()).get(); > > // Get the existing entry if there is one. Otherwise, just return > // the regular > // entity retrieved from the remote system. > try { > profile = profileRepository > .findByRegistrationId(member.getId()); > > } catch (NoResultException e) { > // ignore > } > > } finally { > client.close(); > } > > Is there a way for the application to make a request directly as an admin > without giving the user admin privileges? > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user ------------------------------ Message: 5 Date: Wed, 5 Mar 2014 14:28:53 -0600 From: Dean Peterson <peterson.dean(a)gmail.com&gt; Subject: Re: [keycloak-user] How to access realms/{realm}/users/{user} with Application To: Stian Thorgersen <stian(a)redhat.com&gt; Cc: keycloak-user(a)lists.jboss.org Message-ID: <CAFGzvPkYz5ZVwzJ+WmDoirWn= W3fW3kGV7GRvQxCCpeVC2ULAw(a)mail.gmail.com&gt; Content-Type: text/plain; charset="iso-8859-1" Thank you. I tried what you said. I am able access that REST service on the Keycloak server but it returns an AccountService object. Actually, I get a 406 error response on my end. I think it is because I did not have the keycloak-services dependency in my application's pom. However, when I add it and I try to start the server, I get the error: Could not find constructor for class: org.keycloak.services.resources.RealmsResource. Should I make my own local version of AccountService and not add keycloak-services to my application? What is the best approach? Any ideas why I might be getting a 406 error? SkeletonKeySession session = (SkeletonKeySession) request .getAttribute(SkeletonKeySession.class.getName()); ResteasyClient client = new ResteasyClientBuilder() .trustStore(session.getMetadata().getTruststore()) .hostnameVerification( ResteasyClientBuilder.HostnameVerificationPolicy.ANY) .build(); String username = request.getRemoteUser(); Profile profile = null; try { Response response = client .target(" http://server:8080/auth/rest/realms/myrealm/account") .request() .header(HttpHeaders.AUTHORIZATION, "Bearer " + session.getTokenString()).get(); . . . On Wed, Mar 5, 2014 at 3:09 AM, Stian Thorgersen <stian(a)redhat.com&gt; wrote: > There's also a Keycloak specific mechanism for accessing the account of > the user associated with the token. > > To do this open the scope mappings for your app/client, and select > 'account' in the application roles, select 'view-profile' and click the > right-arrow. This will allow your app/client to view the profile of the > current user. > > Then you can make a request (with bearer token) to: > > /auth/rest/realms/myrealm/account > > In the future we'll add support to do all account specific things through > these REST endpoints to support all operations provided by the account > management application. > > ----- Original Message ----- > > From: "Dean Peterson" <peterson.dean(a)gmail.com&gt; > > To: keycloak-user(a)lists.jboss.org > > Sent: Tuesday, 4 March, 2014 7:15:31 PM > > Subject: [keycloak-user] How to access realms/{realm}/users/{user} with > Application > > > > Hello, > > > > I am trying to find the best way to access the UsersResource.java Rest > > services outside the keycloak admin application to get a user's > information. > > How do I make a request using just the client's credentials? > > > > I currently use something like this but I get a 401 because I am using a > > user's oauth token and they only have user privileges: > > SkeletonKeySession session = (SkeletonKeySession) request > > .getAttribute(SkeletonKeySession.class.getName()); > > ResteasyClient client = new ResteasyClientBuilder() > > .trustStore(session.getMetadata().getTruststore()) > > .hostnameVerification( > > ResteasyClientBuilder.HostnameVerificationPolicy.ANY) > > .build(); > > > > String username = request.getRemoteUser(); > > > > Profile profile = null; > > > > try { > > > > Response response = client > > .target(" http://server:8080/auth/rest/admin/realms/myrealm/users/ ") > > .path(username) > > .request() > > .header(HttpHeaders.AUTHORIZATION, > > "Bearer " + session.getTokenString()).get(); > > > > // Get the existing entry if there is one. Otherwise, just return > > // the regular > > // entity retrieved from the remote system. > > try { > > profile = profileRepository > > .findByRegistrationId(member.getId()); > > > > } catch (NoResultException e) { > > // ignore > > } > > > > } finally { > > client.close(); > > } > > > > Is there a way for the application to make a request directly as an admin > > without giving the user admin privileges? > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user(a)lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140305/c2782... ------------------------------ _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user End of keycloak-user Digest, Vol 3, Issue 2 *******************************************