[keycloak-user] Looking for a non Admin Java client

Stian Thorgersen sthorger at redhat.com
Fri Oct 7 00:55:50 EDT 2016


There's no REST API for users to access directly. We plan to add it at some
point, see https://issues.jboss.org/browse/KEYCLOAK-943.

On 6 October 2016 at 16:15, Chris Savory <chris.savory at edlogics.com> wrote:

> We have a JS App that is making XHR calls to our server to update the
> user’s profile.  The server will save some of the profile data (e.g
> preferences) locally and then update some of the data in keycloak (e.g.
> name, email).
>
> Currently the way our server is setup, all of the Tomcat/Spring to
> Keycloak calls are done to via the keycloak-admin-client as a single user
> who has a realm admin role.
>
> For example, on that update call that I previously mentioned, here is the
> java code that uses the admin client to perform the update with an admin
> user token (not the logged in user).
>
>         @PostConstruct
>         public void initilization() {
>                 keyCloak = KeycloakBuilder.builder()
>                                 .serverUrl( applicationSettings.
> getKeycloakApplicationProperties().getAuthServerUrl() )
>                                 .realm( applicationSettings.
> getKeycloakApplicationProperties().getRealm() )
>                                 .username( applicationSettings.
> getKeycloakApplicationProperties().getRestClientAdminUser() )
>                                 .password( applicationSettings.
> getKeycloakApplicationProperties().getRestClientAdminPassword() )
>                                 .clientId( applicationSettings.
> getKeycloakApplicationProperties().getRestClientAdmin() )
>                                 .resteasyClient( new
> ResteasyClientBuilder().connectionPoolSize( 20 ).build() )
>                                 .build();
>         }
>
> public void updateUser( String userId, UserRepresentation userRep ) {
>    keyCloak.realm( applicationSettings.getKeycloakApplicationProperties().getRealm()
> )
>          .users().get( userId ).update( userRep );
>
> }
>
> Looking at the API for updating a user, http://www.keycloak.org/docs/
> rest-api/index.html#_update_the_user It appears that I can call that with
> the logged in user’s token and not a generic admin account.  This would be
> better for auditing since all the updates wouldn’t come from a generic
> admin account.
>
> Is there a preferred way to do this?  Should I create a rest template to
> make this PUT call or just simply use the admin java client to make a call
> on behalf of a regular user?  I’m pretty sure I could get the logged in
> user’s token out of the Spring Security context, but there is no way to
> inject that into the Keycloak admin client object; that object wants the
> user’s username and pw to establish a token.
>
> I’m looking on some direction on what is the preferred way to do this.
>
>
> --
> Christopher Savory
> Software Engineer | EdLogics
>
>
>
>
> From: Stian Thorgersen <sthorger at redhat.com>
> Reply-To: "stian at redhat.com" <stian at redhat.com>
> Date: Thursday, October 6, 2016 at 7:37 AM
> To: Chris Savory <chris.savory at edlogics.com>
> Cc: "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>,
> David Hartfield <david.hartfield at edlogics.com>, Danilo Bonilla <
> danilo.bonilla at edlogics.com>, Ali Elhajj <ali.elhajj at edlogics.com>
> Subject: Re: [keycloak-user] Looking for a non Admin Java client
>
> I'm honestly lost in what you're trying to achieve, can you please try to
> explain it again?
>
> On 4 October 2016 at 06:51, Chris Savory <chris.savory at edlogics.com>
> wrote:
> I can use the Admin endpoints, but I would have thought you had to be at
> least realm-admin to do that.  Are you saying that a user can use the Admin
> Endpoints/Clent for urls directly related to themselves?  If so, then we
> can just use that.
>
> --
> Christopher Savory
> Software Engineer | EdLogics
>
>
> From: Stian Thorgersen <sthorger at redhat.com>
> Reply-To: "stian at redhat.com" <stian at redhat.com>
> Date: Monday, October 3, 2016 at 10:32 PM
> To: Chris Savory <chris.savory at edlogics.com>
> Cc: "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>,
> David Hartfield <david.hartfield at edlogics.com>, Danilo Bonilla <
> danilo.bonilla at edlogics.com>, Ali Elhajj <ali.elhajj at edlogics.com>
> Subject: Re: [keycloak-user] Looking for a non Admin Java client
>
> Are you saying you want to invoke the Keycloak admin endpoints? You are
> currently using the Keycloak Java Admin Client, but you want to use
> something else? Why use something else when you already have something?
>
> On 3 October 2016 at 23:21, Chris Savory <chris.savory at edlogics.com>
> wrote:
> We need to make several types of calls to KeyCloak from the server side of
> our application.  Some are in the context of a logged in user and others
> are not.  We have the latter case handled right now by using the KeyCloak
> Admin Client.   But we are unable to locate another Java client for the
> purposes of making calls to KC for the currently authenticated user.  I
> have found the AuthZ Client, but that appears to just be for authenticating.
>
> The particular use case I’m researching now is we have an endpoint like
> /profile-service/users/current, which will return the currently logged in
> user profile.  Some of that information comes from KC and some comes from
> the local app database.  Currently we the app configured to make the
> server-side call as a KC admin while it is orchestrating this data, but I’d
> prefer for the user to use the same credentials as it did when it came to
> the server with a BEARER token.  This will help us when it comes to
> auditing, especially for updates.
>
> Does such a java client exist? Or do I need to use the
> KeycloakRestTemplate to make those calls to KC?
>
>
> --
> Christopher Savory
> Software Engineer | EdLogics
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>
>


More information about the keycloak-user mailing list