[keycloak-user] Looking for a non Admin Java client

Chris Savory chris.savory at edlogics.com
Thu Oct 6 10:15:30 EDT 2016


We have a JS App that is making XHR calls to our server to update the user’s profile.  The server will save some of the profile data (e.g preferences) locally and then update some of the data in keycloak (e.g. name, email). 

Currently the way our server is setup, all of the Tomcat/Spring to Keycloak calls are done to via the keycloak-admin-client as a single user who has a realm admin role. 

For example, on that update call that I previously mentioned, here is the java code that uses the admin client to perform the update with an admin user token (not the logged in user).

	@PostConstruct
	public void initilization() {
		keyCloak = KeycloakBuilder.builder()
				.serverUrl( applicationSettings.getKeycloakApplicationProperties().getAuthServerUrl() )
				.realm( applicationSettings.getKeycloakApplicationProperties().getRealm() )
				.username( applicationSettings.getKeycloakApplicationProperties().getRestClientAdminUser() )
				.password( applicationSettings.getKeycloakApplicationProperties().getRestClientAdminPassword() )
				.clientId( applicationSettings.getKeycloakApplicationProperties().getRestClientAdmin() )
				.resteasyClient( new ResteasyClientBuilder().connectionPoolSize( 20 ).build() )
				.build();
	}

public void updateUser( String userId, UserRepresentation userRep ) {
   keyCloak.realm( applicationSettings.getKeycloakApplicationProperties().getRealm() )
         .users().get( userId ).update( userRep );

}

Looking at the API for updating a user, http://www.keycloak.org/docs/rest-api/index.html#_update_the_user It appears that I can call that with the logged in user’s token and not a generic admin account.  This would be better for auditing since all the updates wouldn’t come from a generic admin account.  

Is there a preferred way to do this?  Should I create a rest template to make this PUT call or just simply use the admin java client to make a call on behalf of a regular user?  I’m pretty sure I could get the logged in user’s token out of the Spring Security context, but there is no way to inject that into the Keycloak admin client object; that object wants the user’s username and pw to establish a token.   

I’m looking on some direction on what is the preferred way to do this.


--
Christopher Savory
Software Engineer | EdLogics
 



From: Stian Thorgersen <sthorger at redhat.com>
Reply-To: "stian at redhat.com" <stian at redhat.com>
Date: Thursday, October 6, 2016 at 7:37 AM
To: Chris Savory <chris.savory at edlogics.com>
Cc: "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>, David Hartfield <david.hartfield at edlogics.com>, Danilo Bonilla <danilo.bonilla at edlogics.com>, Ali Elhajj <ali.elhajj at edlogics.com>
Subject: Re: [keycloak-user] Looking for a non Admin Java client

I'm honestly lost in what you're trying to achieve, can you please try to explain it again?

On 4 October 2016 at 06:51, Chris Savory <chris.savory at edlogics.com> wrote:
I can use the Admin endpoints, but I would have thought you had to be at least realm-admin to do that.  Are you saying that a user can use the Admin Endpoints/Clent for urls directly related to themselves?  If so, then we can just use that.

--
Christopher Savory
Software Engineer | EdLogics


From: Stian Thorgersen <sthorger at redhat.com>
Reply-To: "stian at redhat.com" <stian at redhat.com>
Date: Monday, October 3, 2016 at 10:32 PM
To: Chris Savory <chris.savory at edlogics.com>
Cc: "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>, David Hartfield <david.hartfield at edlogics.com>, Danilo Bonilla <danilo.bonilla at edlogics.com>, Ali Elhajj <ali.elhajj at edlogics.com>
Subject: Re: [keycloak-user] Looking for a non Admin Java client

Are you saying you want to invoke the Keycloak admin endpoints? You are currently using the Keycloak Java Admin Client, but you want to use something else? Why use something else when you already have something?

On 3 October 2016 at 23:21, Chris Savory <chris.savory at edlogics.com> wrote:
We need to make several types of calls to KeyCloak from the server side of our application.  Some are in the context of a logged in user and others are not.  We have the latter case handled right now by using the KeyCloak Admin Client.   But we are unable to locate another Java client for the purposes of making calls to KC for the currently authenticated user.  I have found the AuthZ Client, but that appears to just be for authenticating.

The particular use case I’m researching now is we have an endpoint like /profile-service/users/current, which will return the currently logged in user profile.  Some of that information comes from KC and some comes from the local app database.  Currently we the app configured to make the server-side call as a KC admin while it is orchestrating this data, but I’d prefer for the user to use the same credentials as it did when it came to the server with a BEARER token.  This will help us when it comes to auditing, especially for updates.

Does such a java client exist? Or do I need to use the KeycloakRestTemplate to make those calls to KC?


--
Christopher Savory
Software Engineer | EdLogics



_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user








More information about the keycloak-user mailing list