[keycloak-user] Service Account enable by default for clients, how?

Sven Thoms sven.thoms at gmail.com
Wed Jan 11 06:42:29 EST 2017 

Hello Sebastien


Your PUT to the client registration endpoint made clear to me why I was not
able to set service accounts to enabled in the oidc endpoint request at


https://host/auth/realms/myrealm/clients-registrations/openid-connect


<https://host/auth/realms/myrealm/clients-registrations/openid-connect>

<https://host/auth/realms/myrealm/clients-registrations/openid-connect>As I
see it, it has to do with provider type


oidc vs.


default


with different objects behind it


https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39
d10143b920/core/src/main/java/org/keycloak/representations/
oidc/OIDCClientRepresentation.java
<https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/core/src/main/java/org/keycloak/representations/oidc/OIDCClientRepresentation.java>
keycloak/OIDCClientRepresentation.java at
1aeec2a83c6677cd7dcfccb6ba2c39d10143b920
· keycloak/keycloak · GitHub
<https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/core/src/main/java/org/keycloak/representations/oidc/OIDCClientRepresentation.java>
github.com
keycloak - Open Source Identity and Access Management For Modern
Applications and Services


vs.


https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39
d10143b920/core/src/main/java/org/keycloak/representations/
idm/ClientRepresentation.java
<https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/core/src/main/java/org/keycloak/representations/idm/ClientRepresentation.java>
keycloak/ClientRepresentation.java at 1aeec2a83c6677cd7dcfccb6ba2c39d10143b920
· keycloak/keycloak · GitHub
<https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/core/src/main/java/org/keycloak/representations/idm/ClientRepresentation.java>
github.com
keycloak - Open Source Identity and Access Management For Modern
Applications and Services
After I POST to https://host/auth/realms/myrealm/clients-registrations/
openid-connect a simple


{ "client_name": "aclient", "redirect_uris" : ["https://clienturl/callback"]
}'


and then use the registration access token returned to update / PUT the
client (under clients-registrations/default/...


I get a 500 server error, but the service account is enabled correctly for
that client.


Here is my verbose CURL output


curl -v -X PUT \
>     -d '{ "clientId": "dynamic_client_id_returned_from_oidc",
"serviceAccountsEnabled": true }' \
>     -H "Content-Type:application/json" \
>     -H "Authorization: bearer registration_access_token_from_oidc" \
> https://host/auth/realms/myrealm/clients-registrations/
default/dynamic_client_id_returned_from_oidc
*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate: xxx
* Server certificate: xxx
> PUT /auth/realms/myrealm/clients-registrations/default/dynamic_client_id_returned_from_oidc
HTTP/1.1
> Host: localhost
> User-Agent: curl/7.43.0
> Accept: */*
> Content-Type:application/json
> Authorization: bearer registration_access_token_from_oidc
> Content-Length: 86
>
* upload completely sent off: 86 out of 86 bytes
< HTTP/1.1 500 Internal Server Error
< Connection: keep-alive
< X-Powered-By: Undertow/1
< Server: WildFly/10
< Content-Type: text/html
< Content-Length: 155
< Date: Wed, 11 Jan 2017 11:24:02 GMT
<
* Connection #0 to host localhost left intact
Could not find MessageBodyWriter for response object of type:

org.keycloak.representations.idm.ClientRepresentation of media type:
application/octet-stream

Am 11.01.2017 9:12 vorm. schrieb "Sebastien Blanc" <sblanc at redhat.com>:

> Yes I was talking about the registration_endpoint , I just did the test
> with something like :
>
> curl -X PUT \
>     -d '{ "clientId": "testclient", "serviceAccountsEnabled": true }' \
>     -H "Content-Type:application/json" \
>     -H "Authorization: bearer my_registration_access_token" \
> http://localhost:8080/auth/realms/myrealm/clients-registrations/default/
> testclient
>
> My Service Accounts for this client is then enabled but Keycloak fails to
> returns a response for this PUT request. So I'm not able to get the new
> registration access token.
>
> Could you try this request and if it fails for you as well I will open a
> ticket ?
>
> Seb
>
>
>
> On Wed, Jan 11, 2017 at 8:16 AM, Sven Thoms <sven.thoms at gmail.com> wrote:
>
>> Hello Sebastien
>>
>> Are you talking about the Admin REST endpoint or the
>> registration_endpoint defined at
>> /auth/reales/[realmname]/.well-known/openid-configuration?
>>
>> I am trying to submit a registration request via registration_endpoint
>> and submit a field enabling the service account.
>>
>> According to the openid connect dynamic client registration documentation
>> at openid.net,  the request payload is non-normative, I am just not able
>> to enable service account that way.
>>
>> Am 10.01.2017 10:32 vorm. schrieb "Sebastien Blanc" <sblanc at redhat.com>:
>>
>>> I haven't tried it but when registering the client, in the payload, the
>>> ClientRepresentation, there is a serviceAccountsEnabled field , so maybe
>>> "service-accounts-enabled : true will do the trick ?
>>>
>>> On Tue, Jan 10, 2017 at 10:17 AM, Sven Thoms <sven.thoms at gmail.com>
>>> wrote:
>>>
>>>> Is it possible via a setting to automatically enable clients registered
>>>> dynamically via the well-known registration endpoint and registration
>>>> access token?  My current approach is to iterate over all clients post -
>>>> creation and set serviceaccountsEnabled to true. I need a more prompt
>>>> and
>>>> real-time way
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>

More information about the keycloak-user mailing list