[keycloak-user] Service Account enable by default for clients, how?
Stian Thorgersen
sthorger at redhat.com
Wed Jan 11 08:03:08 EST 2017
Adding "Accept: application/json" should workaround that issue.
On 11 January 2017 at 13:27, Sebastien Blanc <sblanc at redhat.com> wrote:
> It's not on GH but jira : https://issues.jboss.org/browse/KEYCLOAK-4192
>
>
>
> On Wed, Jan 11, 2017 at 1:18 PM, Sven Thoms <sven.thoms at gmail.com> wrote:
>
> > Yes, it appears so. Let me know the Bug URL on github, please. Glad I
> > could help and learn about Keycloak internals at the same time.
> >
> > Am 11.01.2017 12:48 nachm. schrieb "Sebastien Blanc" <sblanc at redhat.com
> >:
> >
> >> Thanks ! So we have a bug on the PUT endpoint for the response , let me
> >> open a ticket for that.
> >>
> >>
> >>
> >> On Wed, Jan 11, 2017 at 12:42 PM, Sven Thoms <sven.thoms at gmail.com>
> >> wrote:
> >>
> >>> Hello Sebastien
> >>>
> >>>
> >>> Your PUT to the client registration endpoint made clear to me why I was
> >>> not able to set service accounts to enabled in the oidc endpoint
> request at
> >>>
> >>>
> >>> https://host/auth/realms/myrealm/clients-registrations/openid-connect
> >>>
> >>>
> >>> <https://host/auth/realms/myrealm/clients-registrations/openid-connect
> >
> >>>
> >>> <https://host/auth/realms/myrealm/clients-registrations/openid-connect
> >As
> >>> I see it, it has to do with provider type
> >>>
> >>>
> >>> oidc vs.
> >>>
> >>>
> >>> default
> >>>
> >>>
> >>> with different objects behind it
> >>>
> >>>
> >>> https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7d
> >>> cfccb6ba2c39d10143b920/core/src/main/java/org/keycloak/repre
> >>> sentations/oidc/OIDCClientRepresentation.java
> >>>
> >>> <https://github.com/keycloak/keycloak/blob/
> 1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/core/src/main/java/
> org/keycloak/representations/oidc/OIDCClientRepresentation.java>
> >>> keycloak/OIDCClientRepresentation.java at
> 1aeec2a83c6677cd7dcfccb6ba2c39d10143b920
> >>> · keycloak/keycloak · GitHub
> >>> <https://github.com/keycloak/keycloak/blob/
> 1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/core/src/main/java/
> org/keycloak/representations/oidc/OIDCClientRepresentation.java>
> >>> github.com
> >>> keycloak - Open Source Identity and Access Management For Modern
> >>> Applications and Services
> >>>
> >>>
> >>> vs.
> >>>
> >>>
> >>> https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7d
> >>> cfccb6ba2c39d10143b920/core/src/main/java/org/keycloak/repre
> >>> sentations/idm/ClientRepresentation.java
> >>>
> >>> <https://github.com/keycloak/keycloak/blob/
> 1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/core/src/main/java/
> org/keycloak/representations/idm/ClientRepresentation.java>
> >>> keycloak/ClientRepresentation.java at 1aeec2a83c6677cd7dcfccb6ba2c39
> d10143b920
> >>> · keycloak/keycloak · GitHub
> >>> <https://github.com/keycloak/keycloak/blob/
> 1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/core/src/main/java/
> org/keycloak/representations/idm/ClientRepresentation.java>
> >>> github.com
> >>> keycloak - Open Source Identity and Access Management For Modern
> >>> Applications and Services
> >>> After I POST to https://host/auth/realms/my
> >>> realm/clients-registrations/openid-connect a simple
> >>>
> >>>
> >>> { "client_name": "aclient", "redirect_uris" : ["
> >>> https://clienturl/callback"] }'
> >>>
> >>>
> >>> and then use the registration access token returned to update / PUT the
> >>> client (under clients-registrations/default/...
> >>>
> >>>
> >>> I get a 500 server error, but the service account is enabled correctly
> >>> for that client.
> >>>
> >>>
> >>> Here is my verbose CURL output
> >>>
> >>>
> >>> curl -v -X PUT \
> >>> > -d '{ "clientId": "dynamic_client_id_returned_from_oidc",
> >>> "serviceAccountsEnabled": true }' \
> >>> > -H "Content-Type:application/json" \
> >>> > -H "Authorization: bearer registration_access_token_from_oidc" \
> >>> > https://host/auth/realms/myrealm/clients-registrations/def
> >>> ault/dynamic_client_id_returned_from_oidc
> >>> * Trying 127.0.0.1...
> >>> * Connected to localhost (127.0.0.1) port 443 (#0)
> >>> * TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
> >>> * Server certificate: xxx
> >>> * Server certificate: xxx
> >>> > PUT /auth/realms/myrealm/clients-registrations/default/dynamic_
> client_id_returned_from_oidc
> >>> HTTP/1.1
> >>> > Host: localhost
> >>> > User-Agent: curl/7.43.0
> >>> > Accept: */*
> >>> > Content-Type:application/json
> >>> > Authorization: bearer registration_access_token_from_oidc
> >>> > Content-Length: 86
> >>> >
> >>> * upload completely sent off: 86 out of 86 bytes
> >>> < HTTP/1.1 500 Internal Server Error
> >>> < Connection: keep-alive
> >>> < X-Powered-By: Undertow/1
> >>> < Server: WildFly/10
> >>> < Content-Type: text/html
> >>> < Content-Length: 155
> >>> < Date: Wed, 11 Jan 2017 11:24:02 GMT
> >>> <
> >>> * Connection #0 to host localhost left intact
> >>> Could not find MessageBodyWriter for response object of type:
> >>>
> >>> org.keycloak.representations.idm.ClientRepresentation of media type:
> >>> application/octet-stream
> >>>
> >>> Am 11.01.2017 9:12 vorm. schrieb "Sebastien Blanc" <sblanc at redhat.com
> >:
> >>>
> >>>> Yes I was talking about the registration_endpoint , I just did the
> test
> >>>> with something like :
> >>>>
> >>>> curl -X PUT \
> >>>> -d '{ "clientId": "testclient", "serviceAccountsEnabled": true }'
> \
> >>>> -H "Content-Type:application/json" \
> >>>> -H "Authorization: bearer my_registration_access_token" \
> >>>> http://localhost:8080/auth/realms/myrealm/clients-registrati
> >>>> ons/default/testclient
> >>>>
> >>>> My Service Accounts for this client is then enabled but Keycloak fails
> >>>> to returns a response for this PUT request. So I'm not able to get
> the new
> >>>> registration access token.
> >>>>
> >>>> Could you try this request and if it fails for you as well I will open
> >>>> a ticket ?
> >>>>
> >>>> Seb
> >>>>
> >>>>
> >>>>
> >>>> On Wed, Jan 11, 2017 at 8:16 AM, Sven Thoms <sven.thoms at gmail.com>
> >>>> wrote:
> >>>>
> >>>>> Hello Sebastien
> >>>>>
> >>>>> Are you talking about the Admin REST endpoint or the
> >>>>> registration_endpoint defined at
> >>>>> /auth/reales/[realmname]/.well-known/openid-configuration?
> >>>>>
> >>>>> I am trying to submit a registration request via
> registration_endpoint
> >>>>> and submit a field enabling the service account.
> >>>>>
> >>>>> According to the openid connect dynamic client registration
> >>>>> documentation at openid.net, the request payload is non-normative,
> I
> >>>>> am just not able to enable service account that way.
> >>>>>
> >>>>> Am 10.01.2017 10:32 vorm. schrieb "Sebastien Blanc" <
> sblanc at redhat.com
> >>>>> >:
> >>>>>
> >>>>>> I haven't tried it but when registering the client, in the payload,
> >>>>>> the ClientRepresentation, there is a serviceAccountsEnabled field ,
> so
> >>>>>> maybe "service-accounts-enabled : true will do the trick ?
> >>>>>>
> >>>>>> On Tue, Jan 10, 2017 at 10:17 AM, Sven Thoms <sven.thoms at gmail.com>
> >>>>>> wrote:
> >>>>>>
> >>>>>>> Is it possible via a setting to automatically enable clients
> >>>>>>> registered
> >>>>>>> dynamically via the well-known registration endpoint and
> registration
> >>>>>>> access token? My current approach is to iterate over all clients
> >>>>>>> post -
> >>>>>>> creation and set serviceaccountsEnabled to true. I need a more
> >>>>>>> prompt and
> >>>>>>> real-time way
> >>>>>>> _______________________________________________
> >>>>>>> keycloak-user mailing list
> >>>>>>> keycloak-user at lists.jboss.org
> >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>>>>>
> >>>>>>
> >>>>>>
> >>>>
> >>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list