[keycloak-user] Service Account enable by default for clients, how?

Sebastien Blanc sblanc at redhat.com
Wed Jan 11 06:48:22 EST 2017


Thanks ! So we have a bug on the PUT endpoint for the response , let me
open a ticket for that.



On Wed, Jan 11, 2017 at 12:42 PM, Sven Thoms <sven.thoms at gmail.com> wrote:

> Hello Sebastien
>
>
> Your PUT to the client registration endpoint made clear to me why I was
> not able to set service accounts to enabled in the oidc endpoint request at
>
>
> https://host/auth/realms/myrealm/clients-registrations/openid-connect
>
>
> <https://host/auth/realms/myrealm/clients-registrations/openid-connect>
>
> <https://host/auth/realms/myrealm/clients-registrations/openid-connect>As
> I see it, it has to do with provider type
>
>
> oidc vs.
>
>
> default
>
>
> with different objects behind it
>
>
> https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7d
> cfccb6ba2c39d10143b920/core/src/main/java/org/keycloak/
> representations/oidc/OIDCClientRepresentation.java
>
> <https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/core/src/main/java/org/keycloak/representations/oidc/OIDCClientRepresentation.java>
> keycloak/OIDCClientRepresentation.java at 1aeec2a83c6677cd7dcfccb6ba2c39d10143b920
> · keycloak/keycloak · GitHub
> <https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/core/src/main/java/org/keycloak/representations/oidc/OIDCClientRepresentation.java>
> github.com
> keycloak - Open Source Identity and Access Management For Modern
> Applications and Services
>
>
> vs.
>
>
> https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7d
> cfccb6ba2c39d10143b920/core/src/main/java/org/keycloak/
> representations/idm/ClientRepresentation.java
>
> <https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/core/src/main/java/org/keycloak/representations/idm/ClientRepresentation.java>
> keycloak/ClientRepresentation.java at 1aeec2a83c6677cd7dcfccb6ba2c39d10143b920
> · keycloak/keycloak · GitHub
> <https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/core/src/main/java/org/keycloak/representations/idm/ClientRepresentation.java>
> github.com
> keycloak - Open Source Identity and Access Management For Modern
> Applications and Services
> After I POST to https://host/auth/realms/myrealm/clients-registrations/op
> enid-connect a simple
>
>
> { "client_name": "aclient", "redirect_uris" : ["https://clienturl/callback"]
> }'
>
>
> and then use the registration access token returned to update / PUT the
> client (under clients-registrations/default/...
>
>
> I get a 500 server error, but the service account is enabled correctly for
> that client.
>
>
> Here is my verbose CURL output
>
>
> curl -v -X PUT \
> >     -d '{ "clientId": "dynamic_client_id_returned_from_oidc",
> "serviceAccountsEnabled": true }' \
> >     -H "Content-Type:application/json" \
> >     -H "Authorization: bearer registration_access_token_from_oidc" \
> > https://host/auth/realms/myrealm/clients-registrations/def
> ault/dynamic_client_id_returned_from_oidc
> *   Trying 127.0.0.1...
> * Connected to localhost (127.0.0.1) port 443 (#0)
> * TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
> * Server certificate: xxx
> * Server certificate: xxx
> > PUT /auth/realms/myrealm/clients-registrations/default/dynamic_client_id_returned_from_oidc
> HTTP/1.1
> > Host: localhost
> > User-Agent: curl/7.43.0
> > Accept: */*
> > Content-Type:application/json
> > Authorization: bearer registration_access_token_from_oidc
> > Content-Length: 86
> >
> * upload completely sent off: 86 out of 86 bytes
> < HTTP/1.1 500 Internal Server Error
> < Connection: keep-alive
> < X-Powered-By: Undertow/1
> < Server: WildFly/10
> < Content-Type: text/html
> < Content-Length: 155
> < Date: Wed, 11 Jan 2017 11:24:02 GMT
> <
> * Connection #0 to host localhost left intact
> Could not find MessageBodyWriter for response object of type:
>
> org.keycloak.representations.idm.ClientRepresentation of media type:
> application/octet-stream
>
> Am 11.01.2017 9:12 vorm. schrieb "Sebastien Blanc" <sblanc at redhat.com>:
>
>> Yes I was talking about the registration_endpoint , I just did the test
>> with something like :
>>
>> curl -X PUT \
>>     -d '{ "clientId": "testclient", "serviceAccountsEnabled": true }' \
>>     -H "Content-Type:application/json" \
>>     -H "Authorization: bearer my_registration_access_token" \
>> http://localhost:8080/auth/realms/myrealm/clients-registrati
>> ons/default/testclient
>>
>> My Service Accounts for this client is then enabled but Keycloak fails to
>> returns a response for this PUT request. So I'm not able to get the new
>> registration access token.
>>
>> Could you try this request and if it fails for you as well I will open a
>> ticket ?
>>
>> Seb
>>
>>
>>
>> On Wed, Jan 11, 2017 at 8:16 AM, Sven Thoms <sven.thoms at gmail.com> wrote:
>>
>>> Hello Sebastien
>>>
>>> Are you talking about the Admin REST endpoint or the
>>> registration_endpoint defined at
>>> /auth/reales/[realmname]/.well-known/openid-configuration?
>>>
>>> I am trying to submit a registration request via registration_endpoint
>>> and submit a field enabling the service account.
>>>
>>> According to the openid connect dynamic client registration
>>> documentation at openid.net,  the request payload is non-normative, I
>>> am just not able to enable service account that way.
>>>
>>> Am 10.01.2017 10:32 vorm. schrieb "Sebastien Blanc" <sblanc at redhat.com>:
>>>
>>>> I haven't tried it but when registering the client, in the payload, the
>>>> ClientRepresentation, there is a serviceAccountsEnabled field , so maybe
>>>> "service-accounts-enabled : true will do the trick ?
>>>>
>>>> On Tue, Jan 10, 2017 at 10:17 AM, Sven Thoms <sven.thoms at gmail.com>
>>>> wrote:
>>>>
>>>>> Is it possible via a setting to automatically enable clients registered
>>>>> dynamically via the well-known registration endpoint and registration
>>>>> access token?  My current approach is to iterate over all clients post
>>>>> -
>>>>> creation and set serviceaccountsEnabled to true. I need a more prompt
>>>>> and
>>>>> real-time way
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>>
>>


More information about the keycloak-user mailing list