[keycloak-user] Multi tenant plus administration Rest api

Stephen More stephen.more at gmail.com
Sat Jul 11 07:33:12 EDT 2015 

I added:
   "realm-management": [ "realm-admin" ],
to:
   "clientRoles": {

Now I am getting:
    07:25:37,948 WARN  [org.jboss.resteasy.core.ExceptionHandler] (default
task-92) Failed executing GET /admin/realms/tenant1/roles:
org.jboss.resteasy.spi.UnauthorizedException: Bearer
        at
org.keycloak.services.resources.admin.AdminRoot.authenticateRealmAdminRequest(AdminRoot.java:152)
        at
org.keycloak.services.resources.admin.AdminRoot.getRealmsAdmin(AdminRoot.java:183)
        at sun.reflect.GeneratedMethodAccessor339.invoke(Unknown Source)
        at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:606)



On Wed, Jul 8, 2015 at 6:20 AM, Marek Posolda <mposolda at redhat.com> wrote:

>  It looks like authorization issue. Your user either doesn't have
> required roles or your client is missing scopes (which means that roles are
> not propagated to accessToken).
>
> To just view roles, you need role "view-realm" of client
> "realm-management" .
>
> Marek
>
>
> On 7.7.2015 18:46, Stephen More wrote:
>
>  I have tried to add:
>         org.keycloak.representations.IDToken idToken =
> principal.getKeycloakSecurityContext().getIdToken();
>         org.keycloak.representations.AccessToken token =
> principal.getKeycloakSecurityContext().getToken();
>
>         writer.write("<br/>Access Token id: " + token.getId());
>         writer.write("<br/>Access Token String: " +
> principal.getKeycloakSecurityContext().getTokenString());
>         writer.write("<br/>ID Token id: " + idToken.getId());
>         writer.write("<br/>ID Token String: " +
> principal.getKeycloakSecurityContext().getIdTokenString());
>
>         writer.write(String.format("<br/><a
> href=\"/multitenant/%s/logout\">Logout</a>", realm));
>
>         try
>         {
>                 java.net.URL url = new java.net.URL( "
> http://localhost:8080/auth/admin/realms/" +
> principal.getKeycloakSecurityContext().getRealm() + "/roles" );
>                 java.net.HttpURLConnection conn =
> (java.net.HttpURLConnection)url.openConnection();
>                 conn.setRequestMethod( "GET" );
>                 conn.setRequestProperty("Authorization", "Bearer " +
> principal.getKeycloakSecurityContext().getTokenString());
>                 java.io.BufferedReader in = new java.io.BufferedReader(
> new java.io.InputStreamReader( conn.getInputStream()));
>                 String line;
>                 while ((line = in.readLine()) != null)
>                 {
>                     writer.write( line );
>                 }
>                 in.close();
>         }
>         catch( Exception e )
>         {
>                 e.printStackTrace();
>         }
>
>  to
> keycloak-demo-1.3.1.Final/examples/multi-tenant/src/main/java/org/keycloak/example/multitenant/boundary/ProtectedServlet.java
>
>  But I am getting an error:
> 12:28:28,317 WARN  [org.jboss.resteasy.core.ExceptionHandler] (default
> task-16) Failed executing GET /admin/realms/tenant1/roles:
> org.keycloak.services.ForbiddenException
>
>
> In stepping through the AdminClient of the admin-access-app I have found
> an example bearer token was 1157 characters long.
>
> principal.getKeycloakSecurityContext().getIdTokenString() turned out to be
> 645 characters long.
>
> principal.getKeycloakSecurityContext().getTokenString() turned out to be
> 865 characters long.
>
>
>  What is it that I am missing ?
>
> On Tue, Jul 7, 2015 at 10:08 AM, Bill Burke <bburke at redhat.com> wrote:
>
>> The access token should already be available.
>>
>> On 7/7/2015 10:01 AM, Stephen More wrote:
>> > Or perhaps a better question would be: Once a user is already logged
>> > into keycloak, how can a
>> > org.keycloak.representations.AccessTokenResponse without providing a
>> > password a second time ?
>> >
>> > On Sun, Jul 5, 2015 at 12:00 PM, Stephen More <stephen.more at gmail.com
>> > <mailto:stephen.more at gmail.com>> wrote:
>> >
>> >     How could I extend the multi-tenant example (
>> >     https://github.com/keycloak/keycloak/tree/master/examples/
>> >     <
>> https://github.com/keycloak/keycloak/tree/master/examples/multi-tenant
>> >multi-tenant
>> >     ) to make a Rest admin api call back to keycloak using java ?
>> >
>> >     I think this would be a helpful example in upcoming releases.
>> >
>> >     Thanks
>> >
>> >
>> >
>> >
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150711/8e24b779/attachment-0001.html

More information about the keycloak-user mailing list