[keycloak-user] Service Account enable by default for clients, how?

Sebastien Blanc sblanc at redhat.com
Wed Jan 11 08:10:39 EST 2017


Indeed ! The workaround works.

On Wed, Jan 11, 2017 at 2:03 PM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> Adding "Accept: application/json" should workaround that issue.
>
> On 11 January 2017 at 13:27, Sebastien Blanc <sblanc at redhat.com> wrote:
>
>> It's not on GH but jira : https://issues.jboss.org/browse/KEYCLOAK-4192
>>
>>
>>
>> On Wed, Jan 11, 2017 at 1:18 PM, Sven Thoms <sven.thoms at gmail.com> wrote:
>>
>> > Yes, it appears so. Let me know the Bug URL on github, please.  Glad I
>> > could help and learn about Keycloak internals at the same time.
>> >
>> > Am 11.01.2017 12:48 nachm. schrieb "Sebastien Blanc" <sblanc at redhat.com
>> >:
>> >
>> >> Thanks ! So we have a bug on the PUT endpoint for the response , let me
>> >> open a ticket for that.
>> >>
>> >>
>> >>
>> >> On Wed, Jan 11, 2017 at 12:42 PM, Sven Thoms <sven.thoms at gmail.com>
>> >> wrote:
>> >>
>> >>> Hello Sebastien
>> >>>
>> >>>
>> >>> Your PUT to the client registration endpoint made clear to me why I
>> was
>> >>> not able to set service accounts to enabled in the oidc endpoint
>> request at
>> >>>
>> >>>
>> >>> https://host/auth/realms/myrealm/clients-registrations/openid-connect
>> >>>
>> >>>
>> >>> <https://host/auth/realms/myrealm/clients-registrations/open
>> id-connect>
>> >>>
>> >>> <https://host/auth/realms/myrealm/clients-registrations/open
>> id-connect>As
>> >>> I see it, it has to do with provider type
>> >>>
>> >>>
>> >>> oidc vs.
>> >>>
>> >>>
>> >>> default
>> >>>
>> >>>
>> >>> with different objects behind it
>> >>>
>> >>>
>> >>> https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7d
>> >>> cfccb6ba2c39d10143b920/core/src/main/java/org/keycloak/repre
>> >>> sentations/oidc/OIDCClientRepresentation.java
>> >>>
>> >>> <https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7
>> dcfccb6ba2c39d10143b920/core/src/main/java/org/keycloak/
>> representations/oidc/OIDCClientRepresentation.java>
>> >>> keycloak/OIDCClientRepresentation.java at
>> 1aeec2a83c6677cd7dcfccb6ba2c39d10143b920
>> >>> · keycloak/keycloak · GitHub
>> >>> <https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7
>> dcfccb6ba2c39d10143b920/core/src/main/java/org/keycloak/
>> representations/oidc/OIDCClientRepresentation.java>
>> >>> github.com
>> >>> keycloak - Open Source Identity and Access Management For Modern
>> >>> Applications and Services
>> >>>
>> >>>
>> >>> vs.
>> >>>
>> >>>
>> >>> https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7d
>> >>> cfccb6ba2c39d10143b920/core/src/main/java/org/keycloak/repre
>> >>> sentations/idm/ClientRepresentation.java
>> >>>
>> >>> <https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7
>> dcfccb6ba2c39d10143b920/core/src/main/java/org/keycloak/
>> representations/idm/ClientRepresentation.java>
>> >>> keycloak/ClientRepresentation.java at 1aeec2a83c6677cd7dcfccb6ba2c39
>> d10143b920
>> >>> · keycloak/keycloak · GitHub
>> >>> <https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7
>> dcfccb6ba2c39d10143b920/core/src/main/java/org/keycloak/
>> representations/idm/ClientRepresentation.java>
>> >>> github.com
>> >>> keycloak - Open Source Identity and Access Management For Modern
>> >>> Applications and Services
>> >>> After I POST to https://host/auth/realms/my
>> >>> realm/clients-registrations/openid-connect a simple
>>
>> >>>
>> >>>
>> >>> { "client_name": "aclient", "redirect_uris" : ["
>> >>> https://clienturl/callback"] }'
>> >>>
>> >>>
>> >>> and then use the registration access token returned to update / PUT
>> the
>> >>> client (under clients-registrations/default/...
>> >>>
>> >>>
>> >>> I get a 500 server error, but the service account is enabled correctly
>> >>> for that client.
>> >>>
>> >>>
>> >>> Here is my verbose CURL output
>> >>>
>> >>>
>> >>> curl -v -X PUT \
>> >>> >     -d '{ "clientId": "dynamic_client_id_returned_from_oidc",
>> >>> "serviceAccountsEnabled": true }' \
>> >>> >     -H "Content-Type:application/json" \
>> >>> >     -H "Authorization: bearer registration_access_token_from_oidc"
>> \
>> >>> > https://host/auth/realms/myrealm/clients-registrations/def
>> >>> ault/dynamic_client_id_returned_from_oidc
>> >>> *   Trying 127.0.0.1...
>> >>> * Connected to localhost (127.0.0.1) port 443 (#0)
>> >>> * TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
>> >>> * Server certificate: xxx
>> >>> * Server certificate: xxx
>> >>> > PUT /auth/realms/myrealm/clients-registrations/default/dynamic_c
>> lient_id_returned_from_oidc
>> >>> HTTP/1.1
>> >>> > Host: localhost
>> >>> > User-Agent: curl/7.43.0
>> >>> > Accept: */*
>> >>> > Content-Type:application/json
>> >>> > Authorization: bearer registration_access_token_from_oidc
>> >>> > Content-Length: 86
>> >>> >
>> >>> * upload completely sent off: 86 out of 86 bytes
>> >>> < HTTP/1.1 500 Internal Server Error
>> >>> < Connection: keep-alive
>> >>> < X-Powered-By: Undertow/1
>> >>> < Server: WildFly/10
>> >>> < Content-Type: text/html
>> >>> < Content-Length: 155
>> >>> < Date: Wed, 11 Jan 2017 11:24:02 GMT
>> >>> <
>> >>> * Connection #0 to host localhost left intact
>> >>> Could not find MessageBodyWriter for response object of type:
>> >>>
>> >>> org.keycloak.representations.idm.ClientRepresentation of media type:
>> >>> application/octet-stream
>> >>>
>> >>> Am 11.01.2017 9:12 vorm. schrieb "Sebastien Blanc" <sblanc at redhat.com
>> >:
>> >>>
>> >>>> Yes I was talking about the registration_endpoint , I just did the
>> test
>> >>>> with something like :
>> >>>>
>> >>>> curl -X PUT \
>> >>>>     -d '{ "clientId": "testclient", "serviceAccountsEnabled": true
>> }' \
>> >>>>     -H "Content-Type:application/json" \
>> >>>>     -H "Authorization: bearer my_registration_access_token" \
>> >>>> http://localhost:8080/auth/realms/myrealm/clients-registrati
>> >>>> ons/default/testclient
>> >>>>
>> >>>> My Service Accounts for this client is then enabled but Keycloak
>> fails
>> >>>> to returns a response for this PUT request. So I'm not able to get
>> the new
>> >>>> registration access token.
>> >>>>
>> >>>> Could you try this request and if it fails for you as well I will
>> open
>> >>>> a ticket ?
>> >>>>
>> >>>> Seb
>> >>>>
>> >>>>
>> >>>>
>> >>>> On Wed, Jan 11, 2017 at 8:16 AM, Sven Thoms <sven.thoms at gmail.com>
>> >>>> wrote:
>> >>>>
>> >>>>> Hello Sebastien
>> >>>>>
>> >>>>> Are you talking about the Admin REST endpoint or the
>> >>>>> registration_endpoint defined at
>> >>>>> /auth/reales/[realmname]/.well-known/openid-configuration?
>> >>>>>
>> >>>>> I am trying to submit a registration request via
>> registration_endpoint
>> >>>>> and submit a field enabling the service account.
>> >>>>>
>> >>>>> According to the openid connect dynamic client registration
>> >>>>> documentation at openid.net,  the request payload is
>> non-normative, I
>> >>>>> am just not able to enable service account that way.
>> >>>>>
>> >>>>> Am 10.01.2017 10:32 vorm. schrieb "Sebastien Blanc" <
>> sblanc at redhat.com
>> >>>>> >:
>> >>>>>
>> >>>>>> I haven't tried it but when registering the client, in the payload,
>> >>>>>> the ClientRepresentation, there is a serviceAccountsEnabled field
>> , so
>> >>>>>> maybe "service-accounts-enabled : true will do the trick ?
>> >>>>>>
>> >>>>>> On Tue, Jan 10, 2017 at 10:17 AM, Sven Thoms <sven.thoms at gmail.com
>> >
>> >>>>>> wrote:
>> >>>>>>
>> >>>>>>> Is it possible via a setting to automatically enable clients
>> >>>>>>> registered
>> >>>>>>> dynamically via the well-known registration endpoint and
>> registration
>> >>>>>>> access token?  My current approach is to iterate over all clients
>> >>>>>>> post -
>> >>>>>>> creation and set serviceaccountsEnabled to true. I need a more
>> >>>>>>> prompt and
>> >>>>>>> real-time way
>> >>>>>>> _______________________________________________
>> >>>>>>> keycloak-user mailing list
>> >>>>>>> keycloak-user at lists.jboss.org
>> >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >>>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>
>> >>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>


More information about the keycloak-user mailing list