5:43 a.m.
Hi,
I want to create an initial access token with expiration=60 seconds and
count=1 from command line using admin-cli through kcadm.sh script or a curl
command and share with the clients to register(create clients) themselves
at keycloak. I am using the following curl command as per the keycloak
document but I am getting 401 unauthorized error. I am create an Initial
access token from admin console but I don't want to expose it. *Please let
me know on how to generate InitialAccessToken from CLI to register a
client. *
*# curl -i -H 'Content-Type: application/json' -X
POST
http://<keycloak-IP>:<port>/auth/admin/realms/master/clients-initial-access
<http://10.91.96.30:8665/auth/admin/realms/master/clients-initial-access> -d
"client_id=admin-cli&grant_type=password&username=admin&password=admin"*
HTTP/1.1 401 Unauthorized
Connection: keep-alive
Content-Length: 0
Date: Tue, 15 Jan 2019 09:16:07 GMT
*I am able to register a client using the access token obtained from below
command but I cannot control it for number of client registrations.*
# *curl -i -H 'Content-Type: application/x-www-form-urlencoded' -X
POST
http://<keycloak-ip>:<port>/auth/realms/master/protocol/openid-connect/token
<http://10.91.96.30:8665/auth/realms/master/protocol/openid-connect/token> -d
"client_id=admin-cli&grant_type=password&username=admin&password=admin"*
1. HTTP/1.1 200 OK
Connection: keep-alive
Cache-Control: no-store
Set-Cookie: KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10
GMT; Max-Age=0; Path=/auth/realms/master/; HttpOnly
Pragma: no-cache
Content-Type: application/json
Content-Length: 1848
Date: Tue, 15 Jan 2019 06:37:47 GMT
{"access_token":"eyJhbGciOiJSUzI1NiIs....","expires_in":60,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOi.....","token_type":"bearer","not-before-policy":0,"session_state":"7af01cbb-f268-4263-bed2-c11a14008949","scope":"email
profile"}
I am using Keycloak - Version *4.5.0* in standalone-HA mode.
Regards,
Puneeth
11:10 p.m.
Hello Puneeth,
The process it two-step, first you need to obtain an admin token (via token endpoint),
then use it against clients-initial-access endpoint to create a token.
kcadm.sh can do that for you, but unfortunately it doesn't output the result, even
with the --output option (bug?)
[user@localhost keycloak]$ bin/kcadm.sh create clients-initial-access -s count=1 -s
expiration=60
Created new clients-initial-acces with id '0dfebcdd-35a9-4157-95e6-6d9eb5e887d8'
Luckily, you can still do it with curl:
KEYCLOAK_URL=http://localhost:8080/auth
KEYCLOAK_REALM=master
KEYCLOAK_CLIENT=admin-cli
KEYCLOAK_USER=admin
KEYCLOAK_PASSWORD=admin
ACCESS_TOKEN=$(curl -s $KEYCLOAK_URL/realms/$KEYCLOAK_REALM/protocol/openid-connect/token
\
-d client_id=$KEYCLOAK_CLIENT \
-d grant_type=password \
-d username=$KEYCLOAK_USER \
-d password=$KEYCLOAK_PASSWORD\
| jq -r '.access_token')
curl -s -H "Authorization: Bearer $ACCESS_TOKEN"
$KEYCLOAK_URL/admin/realms/$KEYCLOAK_REALM/clients-initial-access \
-H "Content-Type: application/json" \
-d '{ "count": 1, "expiration": 60 }' \
| jq -r ".token"
Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
On Wed, 2019-01-16 at 17:13 +0530, Puneeth M I wrote:
Hi,
I want to create an initial access token with expiration=60 seconds and
count=1 from command line using admin-cli through kcadm.sh script or a curl
command and share with the clients to register(create clients) themselves
at keycloak. I am using the following curl command as per the keycloak
document but I am getting 401 unauthorized error. I am create an Initial
access token from admin console but I don't want to expose it. *Please let
me know on how to generate InitialAccessToken from CLI to register a
client. *
*# curl -i -H 'Content-Type: application/json' -X
POST
http://<keycloak-IP>:<port>/auth/admin/realms/master/clients-initial-access
<http://10.91.96.30:8665/auth/admin/realms/master/clients-initial-access> -d
"client_id=admin-cli&grant_type=password&username=admin&password=admin"*
HTTP/1.1 401 Unauthorized
Connection: keep-alive
Content-Length: 0
Date: Tue, 15 Jan 2019 09:16:07 GMT
*I am able to register a client using the access token obtained from below
command but I cannot control it for number of client registrations.*
# *curl -i -H 'Content-Type: application/x-www-form-urlencoded' -X
POST
http://<keycloak-ip>:<port>/auth/realms/master/protocol/openid-connect/token
<http://10.91.96.30:8665/auth/realms/master/protocol/openid-connect/token> -d
"client_id=admin-cli&grant_type=password&username=admin&password=admin"*
1. HTTP/1.1 200 OK
Connection: keep-alive
Cache-Control: no-store
Set-Cookie: KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10
GMT; Max-Age=0; Path=/auth/realms/master/; HttpOnly
Pragma: no-cache
Content-Type: application/json
Content-Length: 1848
Date: Tue, 15 Jan 2019 06:37:47 GMT
{"access_token":"eyJhbGciOiJSUzI1NiIs....","expires_in":60,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOi.....","token_type":"bearer","not-before-policy":0,"session_state":"7af01cbb-f268-4263-bed2-c11a14008949","scope":"email
profile"}
I am using Keycloak - Version *4.5.0* in standalone-HA mode.
Regards,
Puneeth
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2660
days inactive
2662
days old
1 comments
2 participants
participants (2)
-
Dmitry Telegin -
Puneeth M I