[keycloak-user] Service Account enable by default for clients, how?

Sebastien Blanc sblanc at redhat.com
Wed Jan 11 07:27:47 EST 2017 

It's not on GH but jira : https://issues.jboss.org/browse/KEYCLOAK-4192



On Wed, Jan 11, 2017 at 1:18 PM, Sven Thoms <sven.thoms at gmail.com> wrote:

> Yes, it appears so. Let me know the Bug URL on github, please.  Glad I
> could help and learn about Keycloak internals at the same time.
>
> Am 11.01.2017 12:48 nachm. schrieb "Sebastien Blanc" <sblanc at redhat.com>:
>
>> Thanks ! So we have a bug on the PUT endpoint for the response , let me
>> open a ticket for that.
>>
>>
>>
>> On Wed, Jan 11, 2017 at 12:42 PM, Sven Thoms <sven.thoms at gmail.com>
>> wrote:
>>
>>> Hello Sebastien
>>>
>>>
>>> Your PUT to the client registration endpoint made clear to me why I was
>>> not able to set service accounts to enabled in the oidc endpoint request at
>>>
>>>
>>> https://host/auth/realms/myrealm/clients-registrations/openid-connect
>>>
>>>
>>> <https://host/auth/realms/myrealm/clients-registrations/openid-connect>
>>>
>>> <https://host/auth/realms/myrealm/clients-registrations/openid-connect>As
>>> I see it, it has to do with provider type
>>>
>>>
>>> oidc vs.
>>>
>>>
>>> default
>>>
>>>
>>> with different objects behind it
>>>
>>>
>>> https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7d
>>> cfccb6ba2c39d10143b920/core/src/main/java/org/keycloak/repre
>>> sentations/oidc/OIDCClientRepresentation.java
>>>
>>> <https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/core/src/main/java/org/keycloak/representations/oidc/OIDCClientRepresentation.java>
>>> keycloak/OIDCClientRepresentation.java at 1aeec2a83c6677cd7dcfccb6ba2c39d10143b920
>>> · keycloak/keycloak · GitHub
>>> <https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/core/src/main/java/org/keycloak/representations/oidc/OIDCClientRepresentation.java>
>>> github.com
>>> keycloak - Open Source Identity and Access Management For Modern
>>> Applications and Services
>>>
>>>
>>> vs.
>>>
>>>
>>> https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7d
>>> cfccb6ba2c39d10143b920/core/src/main/java/org/keycloak/repre
>>> sentations/idm/ClientRepresentation.java
>>>
>>> <https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/core/src/main/java/org/keycloak/representations/idm/ClientRepresentation.java>
>>> keycloak/ClientRepresentation.java at 1aeec2a83c6677cd7dcfccb6ba2c39d10143b920
>>> · keycloak/keycloak · GitHub
>>> <https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/core/src/main/java/org/keycloak/representations/idm/ClientRepresentation.java>
>>> github.com
>>> keycloak - Open Source Identity and Access Management For Modern
>>> Applications and Services
>>> After I POST to https://host/auth/realms/my
>>> realm/clients-registrations/openid-connect a simple
>>>
>>>
>>> { "client_name": "aclient", "redirect_uris" : ["
>>> https://clienturl/callback"] }'
>>>
>>>
>>> and then use the registration access token returned to update / PUT the
>>> client (under clients-registrations/default/...
>>>
>>>
>>> I get a 500 server error, but the service account is enabled correctly
>>> for that client.
>>>
>>>
>>> Here is my verbose CURL output
>>>
>>>
>>> curl -v -X PUT \
>>> >     -d '{ "clientId": "dynamic_client_id_returned_from_oidc",
>>> "serviceAccountsEnabled": true }' \
>>> >     -H "Content-Type:application/json" \
>>> >     -H "Authorization: bearer registration_access_token_from_oidc" \
>>> > https://host/auth/realms/myrealm/clients-registrations/def
>>> ault/dynamic_client_id_returned_from_oidc
>>> *   Trying 127.0.0.1...
>>> * Connected to localhost (127.0.0.1) port 443 (#0)
>>> * TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
>>> * Server certificate: xxx
>>> * Server certificate: xxx
>>> > PUT /auth/realms/myrealm/clients-registrations/default/dynamic_client_id_returned_from_oidc
>>> HTTP/1.1
>>> > Host: localhost
>>> > User-Agent: curl/7.43.0
>>> > Accept: */*
>>> > Content-Type:application/json
>>> > Authorization: bearer registration_access_token_from_oidc
>>> > Content-Length: 86
>>> >
>>> * upload completely sent off: 86 out of 86 bytes
>>> < HTTP/1.1 500 Internal Server Error
>>> < Connection: keep-alive
>>> < X-Powered-By: Undertow/1
>>> < Server: WildFly/10
>>> < Content-Type: text/html
>>> < Content-Length: 155
>>> < Date: Wed, 11 Jan 2017 11:24:02 GMT
>>> <
>>> * Connection #0 to host localhost left intact
>>> Could not find MessageBodyWriter for response object of type:
>>>
>>> org.keycloak.representations.idm.ClientRepresentation of media type:
>>> application/octet-stream
>>>
>>> Am 11.01.2017 9:12 vorm. schrieb "Sebastien Blanc" <sblanc at redhat.com>:
>>>
>>>> Yes I was talking about the registration_endpoint , I just did the test
>>>> with something like :
>>>>
>>>> curl -X PUT \
>>>>     -d '{ "clientId": "testclient", "serviceAccountsEnabled": true }' \
>>>>     -H "Content-Type:application/json" \
>>>>     -H "Authorization: bearer my_registration_access_token" \
>>>> http://localhost:8080/auth/realms/myrealm/clients-registrati
>>>> ons/default/testclient
>>>>
>>>> My Service Accounts for this client is then enabled but Keycloak fails
>>>> to returns a response for this PUT request. So I'm not able to get the new
>>>> registration access token.
>>>>
>>>> Could you try this request and if it fails for you as well I will open
>>>> a ticket ?
>>>>
>>>> Seb
>>>>
>>>>
>>>>
>>>> On Wed, Jan 11, 2017 at 8:16 AM, Sven Thoms <sven.thoms at gmail.com>
>>>> wrote:
>>>>
>>>>> Hello Sebastien
>>>>>
>>>>> Are you talking about the Admin REST endpoint or the
>>>>> registration_endpoint defined at
>>>>> /auth/reales/[realmname]/.well-known/openid-configuration?
>>>>>
>>>>> I am trying to submit a registration request via registration_endpoint
>>>>> and submit a field enabling the service account.
>>>>>
>>>>> According to the openid connect dynamic client registration
>>>>> documentation at openid.net,  the request payload is non-normative, I
>>>>> am just not able to enable service account that way.
>>>>>
>>>>> Am 10.01.2017 10:32 vorm. schrieb "Sebastien Blanc" <sblanc at redhat.com
>>>>> >:
>>>>>
>>>>>> I haven't tried it but when registering the client, in the payload,
>>>>>> the ClientRepresentation, there is a serviceAccountsEnabled field , so
>>>>>> maybe "service-accounts-enabled : true will do the trick ?
>>>>>>
>>>>>> On Tue, Jan 10, 2017 at 10:17 AM, Sven Thoms <sven.thoms at gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Is it possible via a setting to automatically enable clients
>>>>>>> registered
>>>>>>> dynamically via the well-known registration endpoint and registration
>>>>>>> access token?  My current approach is to iterate over all clients
>>>>>>> post -
>>>>>>> creation and set serviceaccountsEnabled to true. I need a more
>>>>>>> prompt and
>>>>>>> real-time way
>>>>>>> _______________________________________________
>>>>>>> keycloak-user mailing list
>>>>>>> keycloak-user at lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>
>>>>>>
>>>>>>
>>>>
>>

More information about the keycloak-user mailing list