[keycloak-dev] client creation using bearer token

Stian Thorgersen sthorger at redhat.com
Tue Mar 8 00:51:11 EST 2016 

Client registration service can only be invoked by a user from the realm
you are creating a client in, so users in the master realm can only create
clients in the master realm.

IMO you should use the client registration services, supported initial
access tokens and leave realm creation to another process. Creating a realm
is part of installing the Keycloak server, not installing the client.

On 8 March 2016 at 01:14, John Dennis <jdennis at redhat.com> wrote:

> Chapter 9.1.1 of the Keycloak Reference Guide
> (http://keycloak.github.io/docs/userguide/keycloak-server/html/index.html)
> says that a bearer token can be used to register a client provided the
> user has the create-client or manage-client role on the realm.
>
> Chapter 6 discusses how to create a user in the master realm who can
> administer a specific realm. I followed those instructions and created
> a user and assigned them the create-client role in the desired realm.
>
> I then obtained a token for that user by posting to
> auth/realms/master/protocol/openid-connect/token with the username and
> password for the realm administrator I created along with the
> client-id of "admin-cli" (not sure if this is the right client id for
> this purpose, can someone explain selecting the proper client id?).
>
> I received back a token and then used this as an authorization bearer
> token when POSTing to the
> auth/realms/{realm}/clients/saml2-entity-descriptor to create a SAML
> SP client in the realm. However this fails with an 403 Forbidden
> response and the message "Invalid signature".
>
> This error seems to be generated by the ClientRegistrationTokenUtils
> class in the method parseToken() which is called in the init() method
> of the ClientRegistrationAuth class. As far as I can tell the
> parseToken() method is using the public key for the realm. But the
> token is not from the realm, the token is from the master realm where
> the realm's admin is located.
>
> For the bearer token to work when registering a client it would seem
> the token would have belong to a user in the realm, not the master
> realm as discussed in Chapter 6.
>
> How is client creation supposed to work with a bearer token instead of
> using an initial access token?
>
> --
> John
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160308/4eb8d45a/attachment.html

More information about the keycloak-dev mailing list