1:15 p.m.
Hello,
I am trying to find the best way to access the UsersResource.java Rest
services outside the keycloak admin application to get a user's
information. How do I make a request using just the client's credentials?
I currently use something like this but I get a 401 because I am using a
user's oauth token and they only have user privileges:
SkeletonKeySession session = (SkeletonKeySession) request
.getAttribute(SkeletonKeySession.class.getName());
ResteasyClient client = new ResteasyClientBuilder()
.trustStore(session.getMetadata().getTruststore())
.hostnameVerification(
ResteasyClientBuilder.HostnameVerificationPolicy.ANY)
.build();
String username = request.getRemoteUser();
Profile profile = null;
try {
Response response = client
.target("
http://server:8080/auth/rest/admin/realms/myrealm/users/")
.path(username)
.request()
.header(HttpHeaders.AUTHORIZATION,
"Bearer " + session.getTokenString()).get();
// Get the existing entry if there is one. Otherwise, just
return
// the regular
// entity retrieved from the remote system.
try {
profile = profileRepository
.findByRegistrationId(member.getId());
} catch (NoResultException e) {
// ignore
}
} finally {
client.close();
}
Is there a way for the application to make a request directly as an admin
without giving the user admin privileges?
2:46 p.m.
On 3/4/2014 2:15 PM, Dean Peterson wrote:
Hello,
I am trying to find the best way to access the UsersResource.java Rest
services outside the keycloak admin application to get a user's
information. How do I make a request using just the client's credentials?
You just want basic information right? name, email, etc.? Next release
(March 13th) we'll have OpenID Connect support. SkeletonKeysession
(renamed to KeycloakSecurityContext) will have a reference to an IDToken
which can be populated with various user information (claims). Allowed
claims are specified per application/oauth client.
You can build and use this right now. View the
preconfigured/customer-portal examples to see how its being done right
If you don't want to build/run from master you can do a POST to
/auth/rest/realms/keycloak-admin/tokens/grants/access
URL form encoded parameters of:
username=admin
password=admin-password
This will return an access token which you can use to invoke on the
admin REST API. *NOTE* we're chaning this particular REST API next
release too :(
I currently use something like this but I get a 401 because I am
using a
user's oauth token and they only have user privileges:
SkeletonKeySession session = (SkeletonKeySession) request
.getAttribute(SkeletonKeySession.class.getName());
ResteasyClient client = new ResteasyClientBuilder()
.trustStore(session.getMetadata().getTruststore())
.hostnameVerification(
ResteasyClientBuilder.HostnameVerificationPolicy.ANY)
.build();
String username = request.getRemoteUser();
Profile profile = null;
try {
Response response = client
.target("http://server:8080/auth/rest/admin/realms/myrealm/users/")
.path(username)
.request()
.header(HttpHeaders.AUTHORIZATION,
"Bearer " + session.getTokenString()).get();
// Get the existing entry if there is one. Otherwise, just
return
// the regular
// entity retrieved from the remote system.
try {
profile = profileRepository
.findByRegistrationId(member.getId());
} catch (NoResultException e) {
// ignore
}
} finally {
client.close();
}
Is there a way for the application to make a request directly as an
admin without giving the user admin privileges?
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
3:09 a.m.
New subject: How to access realms/{realm}/users/{user} with Application
There's also a Keycloak specific mechanism for accessing the account of the user
associated with the token.
To do this open the scope mappings for your app/client, and select 'account' in
the application roles, select 'view-profile' and click the right-arrow. This will
allow your app/client to view the profile of the current user.
Then you can make a request (with bearer token) to:
/auth/rest/realms/myrealm/account
In the future we'll add support to do all account specific things through these REST
endpoints to support all operations provided by the account management application.
----- Original Message -----
From: "Dean Peterson" <peterson.dean(a)gmail.com>
To: keycloak-user(a)lists.jboss.org
Sent: Tuesday, 4 March, 2014 7:15:31 PM
Subject: [keycloak-user] How to access realms/{realm}/users/{user} with Application
Hello,
I am trying to find the best way to access the UsersResource.java Rest
services outside the keycloak admin application to get a user's information.
How do I make a request using just the client's credentials?
I currently use something like this but I get a 401 because I am using a
user's oauth token and they only have user privileges:
SkeletonKeySession session = (SkeletonKeySession) request
.getAttribute(SkeletonKeySession.class.getName());
ResteasyClient client = new ResteasyClientBuilder()
.trustStore(session.getMetadata().getTruststore())
.hostnameVerification(
ResteasyClientBuilder.HostnameVerificationPolicy.ANY)
.build();
String username = request.getRemoteUser();
Profile profile = null;
try {
Response response = client
.target(" http://server:8080/auth/rest/admin/realms/myrealm/users/ ")
.path(username)
.request()
.header(HttpHeaders.AUTHORIZATION,
"Bearer " + session.getTokenString()).get();
// Get the existing entry if there is one. Otherwise, just return
// the regular
// entity retrieved from the remote system.
try {
profile = profileRepository
.findByRegistrationId(member.getId());
} catch (NoResultException e) {
// ignore
}
} finally {
client.close();
}
Is there a way for the application to make a request directly as an admin
without giving the user admin privileges?
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2:28 p.m.
Thank you. I tried what you said. I am able access that REST service on
the Keycloak server but it returns an AccountService object. Actually, I
get a 406 error response on my end. I think it is because I did not have
the keycloak-services dependency in my application's pom. However, when I
add it and I try to start the server, I get the error: Could not find
constructor for class: org.keycloak.services.resources.RealmsResource.
Should I make my own local version of AccountService and not add
keycloak-services to my application? What is the best approach? Any ideas
why I might be getting a 406 error?
SkeletonKeySession session = (SkeletonKeySession) request
.getAttribute(SkeletonKeySession.class.getName());
ResteasyClient client = new ResteasyClientBuilder()
.trustStore(session.getMetadata().getTruststore())
.hostnameVerification(
ResteasyClientBuilder.HostnameVerificationPolicy.ANY)
.build();
String username = request.getRemoteUser();
Profile profile = null;
try {
Response response = client
.target("
http://server:8080/auth/rest/realms/myrealm/account")
.request()
.header(HttpHeaders.AUTHORIZATION,
"Bearer " + session.getTokenString()).get();
.
.
.
On Wed, Mar 5, 2014 at 3:09 AM, Stian Thorgersen <stian(a)redhat.com> wrote:
There's also a Keycloak specific mechanism for accessing the
account of
the user associated with the token.
To do this open the scope mappings for your app/client, and select
'account' in the application roles, select 'view-profile' and click the
right-arrow. This will allow your app/client to view the profile of the
current user.
Then you can make a request (with bearer token) to:
/auth/rest/realms/myrealm/account
In the future we'll add support to do all account specific things through
these REST endpoints to support all operations provided by the account
management application.
----- Original Message -----
> From: "Dean Peterson" <peterson.dean(a)gmail.com>
> To: keycloak-user(a)lists.jboss.org
> Sent: Tuesday, 4 March, 2014 7:15:31 PM
> Subject: [keycloak-user] How to access realms/{realm}/users/{user} with
Application
>
> Hello,
>
> I am trying to find the best way to access the UsersResource.java Rest
> services outside the keycloak admin application to get a user's
information.
> How do I make a request using just the client's credentials?
>
> I currently use something like this but I get a 401 because I am using a
> user's oauth token and they only have user privileges:
> SkeletonKeySession session = (SkeletonKeySession) request
> .getAttribute(SkeletonKeySession.class.getName());
> ResteasyClient client = new ResteasyClientBuilder()
> .trustStore(session.getMetadata().getTruststore())
> .hostnameVerification(
> ResteasyClientBuilder.HostnameVerificationPolicy.ANY)
> .build();
>
> String username = request.getRemoteUser();
>
> Profile profile = null;
>
> try {
>
> Response response = client
> .target(" http://server:8080/auth/rest/admin/realms/myrealm/users/ ")
> .path(username)
> .request()
> .header(HttpHeaders.AUTHORIZATION,
> "Bearer " + session.getTokenString()).get();
>
> // Get the existing entry if there is one. Otherwise, just return
> // the regular
> // entity retrieved from the remote system.
> try {
> profile = profileRepository
> .findByRegistrationId(member.getId());
>
> } catch (NoResultException e) {
> // ignore
> }
>
> } finally {
> client.close();
> }
>
> Is there a way for the application to make a request directly as an admin
> without giving the user admin privileges?
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
5:31 a.m.
You don't need to add keycloak-services to your application. It doesn't actually
return AccountService object, AccountService is JAX-RS sub-resource that handles all
requests to 'account'. Assuming that you've looked at the source, have a peak
inside AccountService.accountPage that's what actually handles the request.
The 406 is caused by missing Accept header. Try adding:
.header(HttpHeaders.ACCEPT, "application/json")
Cheers,
Stian
----- Original Message -----
From: "Dean Peterson" <peterson.dean(a)gmail.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: keycloak-user(a)lists.jboss.org
Sent: Wednesday, 5 March, 2014 8:28:53 PM
Subject: Re: [keycloak-user] How to access realms/{realm}/users/{user} with Application
Thank you. I tried what you said. I am able access that REST service on
the Keycloak server but it returns an AccountService object. Actually, I
get a 406 error response on my end. I think it is because I did not have
the keycloak-services dependency in my application's pom. However, when I
add it and I try to start the server, I get the error: Could not find
constructor for class: org.keycloak.services.resources.RealmsResource.
Should I make my own local version of AccountService and not add
keycloak-services to my application? What is the best approach? Any ideas
why I might be getting a 406 error?
SkeletonKeySession session = (SkeletonKeySession) request
.getAttribute(SkeletonKeySession.class.getName());
ResteasyClient client = new ResteasyClientBuilder()
.trustStore(session.getMetadata().getTruststore())
.hostnameVerification(
ResteasyClientBuilder.HostnameVerificationPolicy.ANY)
.build();
String username = request.getRemoteUser();
Profile profile = null;
try {
Response response = client
.target("
http://server:8080/auth/rest/realms/myrealm/account")
.request()
.header(HttpHeaders.AUTHORIZATION,
"Bearer " + session.getTokenString()).get();
.
.
.
On Wed, Mar 5, 2014 at 3:09 AM, Stian Thorgersen <stian(a)redhat.com> wrote:
> There's also a Keycloak specific mechanism for accessing the account of
> the user associated with the token.
>
> To do this open the scope mappings for your app/client, and select
> 'account' in the application roles, select 'view-profile' and click
the
> right-arrow. This will allow your app/client to view the profile of the
> current user.
>
> Then you can make a request (with bearer token) to:
>
> /auth/rest/realms/myrealm/account
>
> In the future we'll add support to do all account specific things through
> these REST endpoints to support all operations provided by the account
> management application.
>
> ----- Original Message -----
> > From: "Dean Peterson" <peterson.dean(a)gmail.com>
> > To: keycloak-user(a)lists.jboss.org
> > Sent: Tuesday, 4 March, 2014 7:15:31 PM
> > Subject: [keycloak-user] How to access realms/{realm}/users/{user} with
> Application
> >
> > Hello,
> >
> > I am trying to find the best way to access the UsersResource.java Rest
> > services outside the keycloak admin application to get a user's
> information.
> > How do I make a request using just the client's credentials?
> >
> > I currently use something like this but I get a 401 because I am using a
> > user's oauth token and they only have user privileges:
> > SkeletonKeySession session = (SkeletonKeySession) request
> > .getAttribute(SkeletonKeySession.class.getName());
> > ResteasyClient client = new ResteasyClientBuilder()
> > .trustStore(session.getMetadata().getTruststore())
> > .hostnameVerification(
> > ResteasyClientBuilder.HostnameVerificationPolicy.ANY)
> > .build();
> >
> > String username = request.getRemoteUser();
> >
> > Profile profile = null;
> >
> > try {
> >
> > Response response = client
> > .target(" http://server:8080/auth/rest/admin/realms/myrealm/users/
")
> > .path(username)
> > .request()
> > .header(HttpHeaders.AUTHORIZATION,
> > "Bearer " + session.getTokenString()).get();
> >
> > // Get the existing entry if there is one. Otherwise, just return
> > // the regular
> > // entity retrieved from the remote system.
> > try {
> > profile = profileRepository
> > .findByRegistrationId(member.getId());
> >
> > } catch (NoResultException e) {
> > // ignore
> > }
> >
> > } finally {
> > client.close();
> > }
> >
> > Is there a way for the application to make a request directly as an admin
> > without giving the user admin privileges?
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
7:52 a.m.
Or build from master or wait until next Thursday and you can get these
identity attributes in the token.
On 3/6/2014 6:31 AM, Stian Thorgersen wrote:
You don't need to add keycloak-services to your application. It
doesn't actually return AccountService object, AccountService is JAX-RS sub-resource
that handles all requests to 'account'. Assuming that you've looked at the
source, have a peak inside AccountService.accountPage that's what actually handles the
request.
The 406 is caused by missing Accept header. Try adding:
.header(HttpHeaders.ACCEPT, "application/json")
Cheers,
Stian
----- Original Message -----
> From: "Dean Peterson" <peterson.dean(a)gmail.com>
> To: "Stian Thorgersen" <stian(a)redhat.com>
> Cc: keycloak-user(a)lists.jboss.org
> Sent: Wednesday, 5 March, 2014 8:28:53 PM
> Subject: Re: [keycloak-user] How to access realms/{realm}/users/{user} with
Application
>
> Thank you. I tried what you said. I am able access that REST service on
> the Keycloak server but it returns an AccountService object. Actually, I
> get a 406 error response on my end. I think it is because I did not have
> the keycloak-services dependency in my application's pom. However, when I
> add it and I try to start the server, I get the error: Could not find
> constructor for class: org.keycloak.services.resources.RealmsResource.
> Should I make my own local version of AccountService and not add
> keycloak-services to my application? What is the best approach? Any ideas
> why I might be getting a 406 error?
>
> SkeletonKeySession session = (SkeletonKeySession) request
> .getAttribute(SkeletonKeySession.class.getName());
> ResteasyClient client = new ResteasyClientBuilder()
> .trustStore(session.getMetadata().getTruststore())
> .hostnameVerification(
>
> ResteasyClientBuilder.HostnameVerificationPolicy.ANY)
> .build();
>
> String username = request.getRemoteUser();
>
> Profile profile = null;
>
> try {
>
> Response response = client
> .target("
> http://server:8080/auth/rest/realms/myrealm/account")
> .request()
> .header(HttpHeaders.AUTHORIZATION,
> "Bearer " + session.getTokenString()).get();
>
> .
> .
> .
>
>
>
> On Wed, Mar 5, 2014 at 3:09 AM, Stian Thorgersen <stian(a)redhat.com> wrote:
>
>> There's also a Keycloak specific mechanism for accessing the account of
>> the user associated with the token.
>>
>> To do this open the scope mappings for your app/client, and select
>> 'account' in the application roles, select 'view-profile' and
click the
>> right-arrow. This will allow your app/client to view the profile of the
>> current user.
>>
>> Then you can make a request (with bearer token) to:
>>
>> /auth/rest/realms/myrealm/account
>>
>> In the future we'll add support to do all account specific things through
>> these REST endpoints to support all operations provided by the account
>> management application.
>>
>> ----- Original Message -----
>>> From: "Dean Peterson" <peterson.dean(a)gmail.com>
>>> To: keycloak-user(a)lists.jboss.org
>>> Sent: Tuesday, 4 March, 2014 7:15:31 PM
>>> Subject: [keycloak-user] How to access realms/{realm}/users/{user} with
>> Application
>>>
>>> Hello,
>>>
>>> I am trying to find the best way to access the UsersResource.java Rest
>>> services outside the keycloak admin application to get a user's
>> information.
>>> How do I make a request using just the client's credentials?
>>>
>>> I currently use something like this but I get a 401 because I am using a
>>> user's oauth token and they only have user privileges:
>>> SkeletonKeySession session = (SkeletonKeySession) request
>>> .getAttribute(SkeletonKeySession.class.getName());
>>> ResteasyClient client = new ResteasyClientBuilder()
>>> .trustStore(session.getMetadata().getTruststore())
>>> .hostnameVerification(
>>> ResteasyClientBuilder.HostnameVerificationPolicy.ANY)
>>> .build();
>>>
>>> String username = request.getRemoteUser();
>>>
>>> Profile profile = null;
>>>
>>> try {
>>>
>>> Response response = client
>>> .target(" http://server:8080/auth/rest/admin/realms/myrealm/users/
")
>>> .path(username)
>>> .request()
>>> .header(HttpHeaders.AUTHORIZATION,
>>> "Bearer " + session.getTokenString()).get();
>>>
>>> // Get the existing entry if there is one. Otherwise, just return
>>> // the regular
>>> // entity retrieved from the remote system.
>>> try {
>>> profile = profileRepository
>>> .findByRegistrationId(member.getId());
>>>
>>> } catch (NoResultException e) {
>>> // ignore
>>> }
>>>
>>> } finally {
>>> client.close();
>>> }
>>>
>>> Is there a way for the application to make a request directly as an admin
>>> without giving the user admin privileges?
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
8:50 a.m.
Yes, I did realize my stupid mistake right after I sent the e-mail. It is
working as you say. Thank you, very much for all the help!
On Thu, Mar 6, 2014 at 5:31 AM, Stian Thorgersen <stian(a)redhat.com> wrote:
You don't need to add keycloak-services to your application. It
doesn't
actually return AccountService object, AccountService is JAX-RS
sub-resource that handles all requests to 'account'. Assuming that you've
looked at the source, have a peak inside AccountService.accountPage that's
what actually handles the request.
The 406 is caused by missing Accept header. Try adding:
.header(HttpHeaders.ACCEPT, "application/json")
Cheers,
Stian
----- Original Message -----
> From: "Dean Peterson" <peterson.dean(a)gmail.com>
> To: "Stian Thorgersen" <stian(a)redhat.com>
> Cc: keycloak-user(a)lists.jboss.org
> Sent: Wednesday, 5 March, 2014 8:28:53 PM
> Subject: Re: [keycloak-user] How to access realms/{realm}/users/{user}
with Application
>
> Thank you. I tried what you said. I am able access that REST service on
> the Keycloak server but it returns an AccountService object. Actually, I
> get a 406 error response on my end. I think it is because I did not have
> the keycloak-services dependency in my application's pom. However, when
I
> add it and I try to start the server, I get the error: Could not find
> constructor for class: org.keycloak.services.resources.RealmsResource.
> Should I make my own local version of AccountService and not add
> keycloak-services to my application? What is the best approach? Any
ideas
> why I might be getting a 406 error?
>
> SkeletonKeySession session = (SkeletonKeySession) request
> .getAttribute(SkeletonKeySession.class.getName());
> ResteasyClient client = new ResteasyClientBuilder()
> .trustStore(session.getMetadata().getTruststore())
> .hostnameVerification(
>
> ResteasyClientBuilder.HostnameVerificationPolicy.ANY)
> .build();
>
> String username = request.getRemoteUser();
>
> Profile profile = null;
>
> try {
>
> Response response = client
> .target("
> http://server:8080/auth/rest/realms/myrealm/account")
> .request()
> .header(HttpHeaders.AUTHORIZATION,
> "Bearer " + session.getTokenString()).get();
>
> .
> .
> .
>
>
>
> On Wed, Mar 5, 2014 at 3:09 AM, Stian Thorgersen <stian(a)redhat.com>
wrote:
>
> > There's also a Keycloak specific mechanism for accessing the account of
> > the user associated with the token.
> >
> > To do this open the scope mappings for your app/client, and select
> > 'account' in the application roles, select 'view-profile' and
click the
> > right-arrow. This will allow your app/client to view the profile of the
> > current user.
> >
> > Then you can make a request (with bearer token) to:
> >
> > /auth/rest/realms/myrealm/account
> >
> > In the future we'll add support to do all account specific things
through
> > these REST endpoints to support all operations provided by the account
> > management application.
> >
> > ----- Original Message -----
> > > From: "Dean Peterson" <peterson.dean(a)gmail.com>
> > > To: keycloak-user(a)lists.jboss.org
> > > Sent: Tuesday, 4 March, 2014 7:15:31 PM
> > > Subject: [keycloak-user] How to access realms/{realm}/users/{user}
with
> > Application
> > >
> > > Hello,
> > >
> > > I am trying to find the best way to access the UsersResource.java
Rest
> > > services outside the keycloak admin application to get a user's
> > information.
> > > How do I make a request using just the client's credentials?
> > >
> > > I currently use something like this but I get a 401 because I am
using a
> > > user's oauth token and they only have user privileges:
> > > SkeletonKeySession session = (SkeletonKeySession) request
> > > .getAttribute(SkeletonKeySession.class.getName());
> > > ResteasyClient client = new ResteasyClientBuilder()
> > > .trustStore(session.getMetadata().getTruststore())
> > > .hostnameVerification(
> > > ResteasyClientBuilder.HostnameVerificationPolicy.ANY)
> > > .build();
> > >
> > > String username = request.getRemoteUser();
> > >
> > > Profile profile = null;
> > >
> > > try {
> > >
> > > Response response = client
> > > .target("
http://server:8080/auth/rest/admin/realms/myrealm/users/")
> > > .path(username)
> > > .request()
> > > .header(HttpHeaders.AUTHORIZATION,
> > > "Bearer " + session.getTokenString()).get();
> > >
> > > // Get the existing entry if there is one. Otherwise, just return
> > > // the regular
> > > // entity retrieved from the remote system.
> > > try {
> > > profile = profileRepository
> > > .findByRegistrationId(member.getId());
> > >
> > > } catch (NoResultException e) {
> > > // ignore
> > > }
> > >
> > > } finally {
> > > client.close();
> > > }
> > >
> > > Is there a way for the application to make a request directly as an
admin
> > > without giving the user admin privileges?
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user(a)lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
3961
days inactive
3963
days old
6 comments
3 participants
participants (3)
-
Bill Burke -
Dean Peterson -
Stian Thorgersen