[keycloak-dev] client creation using bearer token

[John Dennis]

Chapter 9.1.1 of the Keycloak Reference Guide
(http://keycloak.github.io/docs/userguide/keycloak-server/html/index.html)
says that a bearer token can be used to register a client provided the
user has the create-client or manage-client role on the realm.

Chapter 6 discusses how to create a user in the master realm who can
administer a specific realm. I followed those instructions and created
a user and assigned them the create-client role in the desired realm.

I then obtained a token for that user by posting to
auth/realms/master/protocol/openid-connect/token with the username and
password for the realm administrator I created along with the
client-id of "admin-cli" (not sure if this is the right client id for
this purpose, can someone explain selecting the proper client id?).

I received back a token and then used this as an authorization bearer
token when POSTing to the
auth/realms/{realm}/clients/saml2-entity-descriptor to create a SAML
SP client in the realm. However this fails with an 403 Forbidden
response and the message "Invalid signature".

This error seems to be generated by the ClientRegistrationTokenUtils
class in the method parseToken() which is called in the init() method
of the ClientRegistrationAuth class. As far as I can tell the
parseToken() method is using the public key for the realm. But the
token is not from the realm, the token is from the master realm where
the realm's admin is located.

For the bearer token to work when registering a client it would seem
the token would have belong to a user in the realm, not the master
realm as discussed in Chapter 6.

How is client creation supposed to work with a bearer token instead of
using an initial access token?

-- 
John