[keycloak-user] Multi tenant plus administration Rest api

Marek Posolda mposolda at redhat.com
Wed Jul 8 06:20:26 EDT 2015


It looks like authorization issue. Your user either doesn't have 
required roles or your client is missing scopes (which means that roles 
are not propagated to accessToken).

To just view roles, you need role "view-realm" of client 
"realm-management" .

Marek

On 7.7.2015 18:46, Stephen More wrote:
> I have tried to add:
>         org.keycloak.representations.IDToken idToken = 
> principal.getKeycloakSecurityContext().getIdToken();
>         org.keycloak.representations.AccessToken token = 
> principal.getKeycloakSecurityContext().getToken();
>
>         writer.write("<br/>Access Token id: " + token.getId());
>         writer.write("<br/>Access Token String: " + 
> principal.getKeycloakSecurityContext().getTokenString());
>         writer.write("<br/>ID Token id: " + idToken.getId());
>         writer.write("<br/>ID Token String: " + 
> principal.getKeycloakSecurityContext().getIdTokenString());
>
>         writer.write(String.format("<br/><a 
> href=\"/multitenant/%s/logout\">Logout</a>", realm));
>
>         try
>         {
>                 java.net.URL url = new java.net.URL( 
> "http://localhost:8080/auth/admin/realms/" + 
> principal.getKeycloakSecurityContext().getRealm() + "/roles" );
>                 java.net.HttpURLConnection conn = 
> (java.net.HttpURLConnection)url.openConnection();
>                 conn.setRequestMethod( "GET" );
>                 conn.setRequestProperty("Authorization", "Bearer " + 
> principal.getKeycloakSecurityContext().getTokenString());
>                 java.io.BufferedReader in = new 
> java.io.BufferedReader( new java.io.InputStreamReader( 
> conn.getInputStream()));
>                 String line;
>                 while ((line = in.readLine()) != null)
>                 {
>                     writer.write( line );
>                 }
>                 in.close();
>         }
>         catch( Exception e )
>         {
>                 e.printStackTrace();
>         }
>
> to 
> keycloak-demo-1.3.1.Final/examples/multi-tenant/src/main/java/org/keycloak/example/multitenant/boundary/ProtectedServlet.java
>
> But I am getting an error:
> 12:28:28,317 WARN  [org.jboss.resteasy.core.ExceptionHandler] (default 
> task-16) Failed executing GET /admin/realms/tenant1/roles: 
> org.keycloak.services.ForbiddenException
>
>
> In stepping through the AdminClient of the admin-access-app I have 
> found an example bearer token was 1157 characters long.
>
> principal.getKeycloakSecurityContext().getIdTokenString() turned out 
> to be 645 characters long.
>
> principal.getKeycloakSecurityContext().getTokenString() turned out to 
> be 865 characters long.
>
>
> What is it that I am missing ?
>
> On Tue, Jul 7, 2015 at 10:08 AM, Bill Burke <bburke at redhat.com 
> <mailto:bburke at redhat.com>> wrote:
>
>     The access token should already be available.
>
>     On 7/7/2015 10:01 AM, Stephen More wrote:
>     > Or perhaps a better question would be: Once a user is already logged
>     > into keycloak, how can a
>     > org.keycloak.representations.AccessTokenResponse without providing a
>     > password a second time ?
>     >
>     > On Sun, Jul 5, 2015 at 12:00 PM, Stephen More
>     <stephen.more at gmail.com <mailto:stephen.more at gmail.com>
>     > <mailto:stephen.more at gmail.com <mailto:stephen.more at gmail.com>>> wrote:
>     >
>     >     How could I extend the multi-tenant example (
>     > https://github.com/keycloak/keycloak/tree/master/examples/
>     >   
>      <https://github.com/keycloak/keycloak/tree/master/examples/multi-tenant>multi-tenant
>     >     ) to make a Rest admin api call back to keycloak using java ?
>     >
>     >     I think this would be a helpful example in upcoming releases.
>     >
>     >     Thanks
>     >
>     >
>     >
>     >
>     > _______________________________________________
>     > keycloak-user mailing list
>     > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     > https://lists.jboss.org/mailman/listinfo/keycloak-user
>     >
>
>     --
>     Bill Burke
>     JBoss, a division of Red Hat
>     http://bill.burkecentral.com
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150708/b20e494f/attachment-0001.html 


More information about the keycloak-user mailing list