11:01 a.m.
Hello,
I have a spring boot application, using keycloak 6.0.1 for authentication.
I can log on to keycloak admin via a local browser as the "admincloak" user
(which is in the master realm) and create users in the "SpringBootKeycloak"
realm.
But if I try to create a user within the Spring Boot code then I get the following error
from keycloak log
10:57:33,927 WARN [org.keycloak.events] (default task-2) type=LOGIN_ERROR,
realmId=SpringBootKeycloak, clientId=bikes-app, userId=null, ipAddress=127.0.0.1,
error=invalid_user_credentials, auth_method=openid-connect, grant_type=password,
client_auth_method=client-secret, username=admincloak
Here is the relevant java code
private static final String SERVER_URL = "http://mint191:8080/auth";
private static final String REALM = "SpringBootKeycloak";
private static final String USERNAME = "admincloak";
private static final String PASSWORD = "123456";
private static final String CLIENT_ID = "bikes-app";
private static final String USER_ROLE = "user";
public static void createKCUser(Owner owner) {
try {
Keycloak keycloak = KeycloakBuilder
.builder()
.serverUrl(SERVER_URL)
.realm(REALM)
.username(USERNAME)
.password(PASSWORD)
.clientId(CLIENT_ID)
.resteasyClient(new
ResteasyClientBuilder().connectionPoolSize(10).build())
.build();
CredentialRepresentation credentialRepresentation = new
CredentialRepresentation();
credentialRepresentation.setType(CredentialRepresentation.PASSWORD);
credentialRepresentation.setValue("12345678");
UserRepresentation userRepresentation = new UserRepresentation();
userRepresentation.setUsername(owner.getUserName());
userRepresentation.setFirstName(owner.getFirstName());
userRepresentation.setLastName(owner.getSurName());
userRepresentation.setEnabled(true);
userRepresentation.setCredentials(Arrays.asList(credentialRepresentation));
keycloak.realm(REALM).users().create(userRepresentation);
The stacktrace has
javax.ws.rs.ProcessingException: javax.ws.rs.NotAuthorizedException: HTTP
401 Unauthorized
for the "keycloak.realm(REALM).users().create(userRepresentation);" line
I have seen in previous posts that
"Make sure that your user has the permissions "manage-users" and
"view-realm" from the role "realm-management". Make sure your scopes
are defined such that these roles actually are part of your token."
When I go into keycloak admin and look at the admincloak user in the master realm, then
the effective roles in the role mappings tab are
admin
create-realm
offline-access
uma_authorization
But I can't see a "realm-management" role in roles in master. I can see the
roles "manage-users" and "view-realm" in the client
"master-realm" under the roles tab.
So, in summary, I am confused.
Regards,
John
11:35 a.m.
If you look under the Users Role mapping tab, and select the client Roles for
realm-management you will find all the roles there.
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org]
On Behalf Of John Norris
Sent: 04 December 2019 17:02
To: keycloak-user(a)lists.jboss.org
Subject: [keycloak-user] create user via java api
Hello,
I have a spring boot application, using keycloak 6.0.1 for authentication.
I can log on to keycloak admin via a local browser as the "admincloak" user
(which is in the master realm) and create users in the "SpringBootKeycloak"
realm.
But if I try to create a user within the Spring Boot code then I get the following error
from keycloak log
10:57:33,927 WARN [org.keycloak.events] (default task-2) type=LOGIN_ERROR,
realmId=SpringBootKeycloak, clientId=bikes-app, userId=null, ipAddress=127.0.0.1,
error=invalid_user_credentials, auth_method=openid-connect, grant_type=password,
client_auth_method=client-secret, username=admincloak
Here is the relevant java code
private static final String SERVER_URL = "http://mint191:8080/auth";
private static final String REALM = "SpringBootKeycloak";
private static final String USERNAME = "admincloak";
private static final String PASSWORD = "123456";
private static final String CLIENT_ID = "bikes-app";
private static final String USER_ROLE = "user";
public static void createKCUser(Owner owner) {
try {
Keycloak keycloak = KeycloakBuilder
.builder()
.serverUrl(SERVER_URL)
.realm(REALM)
.username(USERNAME)
.password(PASSWORD)
.clientId(CLIENT_ID)
.resteasyClient(new
ResteasyClientBuilder().connectionPoolSize(10).build())
.build();
CredentialRepresentation credentialRepresentation = new
CredentialRepresentation();
credentialRepresentation.setType(CredentialRepresentation.PASSWORD);
credentialRepresentation.setValue("12345678");
UserRepresentation userRepresentation = new UserRepresentation();
userRepresentation.setUsername(owner.getUserName());
userRepresentation.setFirstName(owner.getFirstName());
userRepresentation.setLastName(owner.getSurName());
userRepresentation.setEnabled(true);
userRepresentation.setCredentials(Arrays.asList(credentialRepresentation));
keycloak.realm(REALM).users().create(userRepresentation);
The stacktrace has
javax.ws.rs.ProcessingException: javax.ws.rs.NotAuthorizedException: HTTP
401 Unauthorized for the
"keycloak.realm(REALM).users().create(userRepresentation);" line
I have seen in previous posts that
"Make sure that your user has the permissions "manage-users" and
"view-realm" from the role "realm-management". Make sure your scopes
are defined such that these roles actually are part of your token."
When I go into keycloak admin and look at the admincloak user in the master realm, then
the effective roles in the role mappings tab are admin create-realm offline-access
uma_authorization
But I can't see a "realm-management" role in roles in master. I can see the
roles "manage-users" and "view-realm" in the client
"master-realm" under the roles tab.
So, in summary, I am confused.
Regards,
John
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
This email has been scanned by ForcePoint.
________________________________
Please consider the environment: Think before you print!
This message has been scanned for malware by Websense. www.websense.com
2:02 a.m.
Hello,
Possible problem might be, that you are saying that admincloak user is in
master realm, but in KeycloakBuilder you are using SpringBootKeycloak.
Either you can create the user also in SpringBootKeycloak realm and add
appropriate roles to him or change realm to master.
btw. Not sure if this will help, but we are using Admin client quite a lot
in testsuite and here is how we are creating it:
https://github.com/keycloak/keycloak/blob/master/testsuite/integration-ar...
Regards,
Michal
On Wed, Dec 4, 2019 at 6:36 PM Tony Harris <Tony.Harris(a)oneadvanced.com>
wrote:
If you look under the Users Role mapping tab, and select the client
Roles
for realm-management you will find all the roles there.
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org [mailto:
keycloak-user-bounces(a)lists.jboss.org] On Behalf Of John Norris
Sent: 04 December 2019 17:02
To: keycloak-user(a)lists.jboss.org
Subject: [keycloak-user] create user via java api
Hello,
I have a spring boot application, using keycloak 6.0.1 for authentication.
I can log on to keycloak admin via a local browser as the "admincloak"
user (which is in the master realm) and create users in the
"SpringBootKeycloak" realm.
But if I try to create a user within the Spring Boot code then I get the
following error from keycloak log
10:57:33,927 WARN [org.keycloak.events] (default task-2)
type=LOGIN_ERROR, realmId=SpringBootKeycloak, clientId=bikes-app,
userId=null, ipAddress=127.0.0.1, error=invalid_user_credentials,
auth_method=openid-connect, grant_type=password,
client_auth_method=client-secret, username=admincloak
Here is the relevant java code
private static final String SERVER_URL = "http://mint191:8080/auth";
private static final String REALM = "SpringBootKeycloak";
private static final String USERNAME = "admincloak";
private static final String PASSWORD = "123456";
private static final String CLIENT_ID = "bikes-app";
private static final String USER_ROLE = "user";
public static void createKCUser(Owner owner) {
try {
Keycloak keycloak = KeycloakBuilder
.builder()
.serverUrl(SERVER_URL)
.realm(REALM)
.username(USERNAME)
.password(PASSWORD)
.clientId(CLIENT_ID)
.resteasyClient(new
ResteasyClientBuilder().connectionPoolSize(10).build())
.build();
CredentialRepresentation credentialRepresentation = new
CredentialRepresentation();
credentialRepresentation.setType(CredentialRepresentation.PASSWORD);
credentialRepresentation.setValue("12345678");
UserRepresentation userRepresentation = new
UserRepresentation();
userRepresentation.setUsername(owner.getUserName());
userRepresentation.setFirstName(owner.getFirstName());
userRepresentation.setLastName(owner.getSurName());
userRepresentation.setEnabled(true);
userRepresentation.setCredentials(Arrays.asList(credentialRepresentation));
keycloak.realm(REALM).users().create(userRepresentation);
The stacktrace has
javax.ws.rs.ProcessingException: javax.ws.rs.NotAuthorizedException:
HTTP 401 Unauthorized for the
"keycloak.realm(REALM).users().create(userRepresentation);" line
I have seen in previous posts that
"Make sure that your user has the permissions "manage-users" and
"view-realm" from the role "realm-management". Make sure your scopes
are
defined such that these roles actually are part of your token."
When I go into keycloak admin and look at the admincloak user in the
master realm, then the effective roles in the role mappings tab are admin
create-realm offline-access uma_authorization
But I can't see a "realm-management" role in roles in master. I can see
the roles "manage-users" and "view-realm" in the client
"master-realm"
under the roles tab.
So, in summary, I am confused.
Regards,
John
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
This email has been scanned by ForcePoint.
________________________________
Please consider the environment: Think before you print!
This message has been scanned for malware by Websense. www.websense.com
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
1393
days inactive
1394
days old
2 comments
3 participants
participants (3)
-
John Norris -
Michal Hajas -
Tony Harris