[keycloak-user] Service Account enable by default for clients, how?
Sven Thoms
sven.thoms at gmail.com
Wed Jan 11 07:18:53 EST 2017
Yes, it appears so. Let me know the Bug URL on github, please. Glad I
could help and learn about Keycloak internals at the same time.
Am 11.01.2017 12:48 nachm. schrieb "Sebastien Blanc" <sblanc at redhat.com>:
> Thanks ! So we have a bug on the PUT endpoint for the response , let me
> open a ticket for that.
>
>
>
> On Wed, Jan 11, 2017 at 12:42 PM, Sven Thoms <sven.thoms at gmail.com> wrote:
>
>> Hello Sebastien
>>
>>
>> Your PUT to the client registration endpoint made clear to me why I was
>> not able to set service accounts to enabled in the oidc endpoint request at
>>
>>
>> https://host/auth/realms/myrealm/clients-registrations/openid-connect
>>
>>
>> <https://host/auth/realms/myrealm/clients-registrations/openid-connect>
>>
>> <https://host/auth/realms/myrealm/clients-registrations/openid-connect>As
>> I see it, it has to do with provider type
>>
>>
>> oidc vs.
>>
>>
>> default
>>
>>
>> with different objects behind it
>>
>>
>> https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7d
>> cfccb6ba2c39d10143b920/core/src/main/java/org/keycloak/repre
>> sentations/oidc/OIDCClientRepresentation.java
>>
>> <https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/core/src/main/java/org/keycloak/representations/oidc/OIDCClientRepresentation.java>
>> keycloak/OIDCClientRepresentation.java at 1aeec2a83c6677cd7dcfccb6ba2c39d10143b920
>> · keycloak/keycloak · GitHub
>> <https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/core/src/main/java/org/keycloak/representations/oidc/OIDCClientRepresentation.java>
>> github.com
>> keycloak - Open Source Identity and Access Management For Modern
>> Applications and Services
>>
>>
>> vs.
>>
>>
>> https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7d
>> cfccb6ba2c39d10143b920/core/src/main/java/org/keycloak/repre
>> sentations/idm/ClientRepresentation.java
>>
>> <https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/core/src/main/java/org/keycloak/representations/idm/ClientRepresentation.java>
>> keycloak/ClientRepresentation.java at 1aeec2a83c6677cd7dcfccb6ba2c39d10143b920
>> · keycloak/keycloak · GitHub
>> <https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/core/src/main/java/org/keycloak/representations/idm/ClientRepresentation.java>
>> github.com
>> keycloak - Open Source Identity and Access Management For Modern
>> Applications and Services
>> After I POST to https://host/auth/realms/myrealm/clients-registrations/op
>> enid-connect a simple
>>
>>
>> { "client_name": "aclient", "redirect_uris" : ["
>> https://clienturl/callback"] }'
>>
>>
>> and then use the registration access token returned to update / PUT the
>> client (under clients-registrations/default/...
>>
>>
>> I get a 500 server error, but the service account is enabled correctly
>> for that client.
>>
>>
>> Here is my verbose CURL output
>>
>>
>> curl -v -X PUT \
>> > -d '{ "clientId": "dynamic_client_id_returned_from_oidc",
>> "serviceAccountsEnabled": true }' \
>> > -H "Content-Type:application/json" \
>> > -H "Authorization: bearer registration_access_token_from_oidc" \
>> > https://host/auth/realms/myrealm/clients-registrations/def
>> ault/dynamic_client_id_returned_from_oidc
>> * Trying 127.0.0.1...
>> * Connected to localhost (127.0.0.1) port 443 (#0)
>> * TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
>> * Server certificate: xxx
>> * Server certificate: xxx
>> > PUT /auth/realms/myrealm/clients-registrations/default/dynamic_client_id_returned_from_oidc
>> HTTP/1.1
>> > Host: localhost
>> > User-Agent: curl/7.43.0
>> > Accept: */*
>> > Content-Type:application/json
>> > Authorization: bearer registration_access_token_from_oidc
>> > Content-Length: 86
>> >
>> * upload completely sent off: 86 out of 86 bytes
>> < HTTP/1.1 500 Internal Server Error
>> < Connection: keep-alive
>> < X-Powered-By: Undertow/1
>> < Server: WildFly/10
>> < Content-Type: text/html
>> < Content-Length: 155
>> < Date: Wed, 11 Jan 2017 11:24:02 GMT
>> <
>> * Connection #0 to host localhost left intact
>> Could not find MessageBodyWriter for response object of type:
>>
>> org.keycloak.representations.idm.ClientRepresentation of media type:
>> application/octet-stream
>>
>> Am 11.01.2017 9:12 vorm. schrieb "Sebastien Blanc" <sblanc at redhat.com>:
>>
>>> Yes I was talking about the registration_endpoint , I just did the test
>>> with something like :
>>>
>>> curl -X PUT \
>>> -d '{ "clientId": "testclient", "serviceAccountsEnabled": true }' \
>>> -H "Content-Type:application/json" \
>>> -H "Authorization: bearer my_registration_access_token" \
>>> http://localhost:8080/auth/realms/myrealm/clients-registrati
>>> ons/default/testclient
>>>
>>> My Service Accounts for this client is then enabled but Keycloak fails
>>> to returns a response for this PUT request. So I'm not able to get the new
>>> registration access token.
>>>
>>> Could you try this request and if it fails for you as well I will open a
>>> ticket ?
>>>
>>> Seb
>>>
>>>
>>>
>>> On Wed, Jan 11, 2017 at 8:16 AM, Sven Thoms <sven.thoms at gmail.com>
>>> wrote:
>>>
>>>> Hello Sebastien
>>>>
>>>> Are you talking about the Admin REST endpoint or the
>>>> registration_endpoint defined at
>>>> /auth/reales/[realmname]/.well-known/openid-configuration?
>>>>
>>>> I am trying to submit a registration request via registration_endpoint
>>>> and submit a field enabling the service account.
>>>>
>>>> According to the openid connect dynamic client registration
>>>> documentation at openid.net, the request payload is non-normative, I
>>>> am just not able to enable service account that way.
>>>>
>>>> Am 10.01.2017 10:32 vorm. schrieb "Sebastien Blanc" <sblanc at redhat.com
>>>> >:
>>>>
>>>>> I haven't tried it but when registering the client, in the payload,
>>>>> the ClientRepresentation, there is a serviceAccountsEnabled field , so
>>>>> maybe "service-accounts-enabled : true will do the trick ?
>>>>>
>>>>> On Tue, Jan 10, 2017 at 10:17 AM, Sven Thoms <sven.thoms at gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Is it possible via a setting to automatically enable clients
>>>>>> registered
>>>>>> dynamically via the well-known registration endpoint and registration
>>>>>> access token? My current approach is to iterate over all clients
>>>>>> post -
>>>>>> creation and set serviceaccountsEnabled to true. I need a more prompt
>>>>>> and
>>>>>> real-time way
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>>
>>>>>
>>>
>
More information about the keycloak-user
mailing list