Hi Bill, long time no see. Seems like we are both stuck with this Java thing. :)
I'm authenticating with the admin user/password which I've set as env variables
when starting Docker container. Nothing else was changed on the default install. This is
the access token:
{
"jti": "285d19a2-8ae3-4e0e-b05f-454d04c7812c",
"exp": 1.456140094E9,
"nbf": 0,
"iat": 1.456140034E9,
"iss": "http://192.168.99.100:8082/auth/realms/master",
"aud": "admin-cli",
"sub": "1219f695-bf7a-4496-a021-52586de58ed5",
"typ": "Bearer",
"azp": "admin-cli",
"session_state": "22d4dc19-e755-4ce0-9508-66ffad608215",
"client_session": "97f937f9-9fce-4441-9684-46d5daa262ce",
"allowed-origins": [
],
"realm_access": {
"roles": [
"create-realm",
"admin"
]
},
"resource_access": {
"master-realm": {
"roles": [
"view-identity-providers",
"manage-events",
"view-realm",
"manage-realm",
"manage-identity-providers",
"impersonation",
"view-events",
"create-client",
"manage-users",
"view-users",
"view-clients",
"manage-clients"
]
}
},
"name": "",
"preferred_username": "admin"
}
That looks like it should give me superuser access. But POSTing with that token on
"/auth/realms/master/clients/default" is Forbidden, because
ClientRegistrationAuth.java checks for "realm-management" resource claims and
not "master-realm":
Map<String, List<String>> realmManagement =
resourceAccess.get(Constants.REALM_MANAGEMENT_CLIENT_ID);
if (realmManagement == null) {
return false;
}
As I said, I might be doing something wrong but I don't know where else to look. I
haven't figured out yet how the user/roles/client etc. mappings work.
On 22.02.2016, at 16:10, keycloak-user-request(a)lists.jboss.org
wrote:
What do you mean when you say you have "super user" roles?
* Your user is in the master realm?
* Which exact roles are assigned to this user?
BTW, is this THE Christian Bauer of Hibernate fame? If so, how's life?
On 2/22/2016 9:02 AM, Christian Bauer wrote:
> Hi
>
> I'm trying to implement a multi-tenant system that should use Keycloak, from its
Docker image. I'd like to use the Keycloak admin API from another container. My first
goal is to create a new client in the master realm for my tenant administration app, then
create realms for each tenant, etc.
>
> To do this I'm using the admin-cli client in the master realm with public direct
grant authentication, and I can get an authentication token with superuser roles for the
admin user.
>
> Next I tried to POST /auth/realms/master/clients/default with a client representation
and the admin-cli bearer token. This is forbidden, because though I have superuser roles,
I don't have the Constants.REALM_MANAGEMENT_CLIENT_ID resource roles required in
ClientRegistrationAuth:177.
>
> I'm not sure I'm doing this right. The console web UI probably has the same
roles if I'm logged in as admin and it's able to create users.
>
> I guess I could step further through the code to find the difference. Other options
I've considered:
>
> - Don't create a new client in the master realm and continue using the admin-cli
client for superuser tasks.
>
> - Adjust the Docker image bootstrap so it exports the initial database, then
manipulate the exported files with some JSON transformer, then import again.
>
> - Hacking the themes/Angular frontend of the security-admin-console and use this to
implement my tenant/user administration app.
>
> Thoughts?
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com