[keycloak-user] Can't set password when registering a user
Marko Strukelj
mstrukel at redhat.com
Mon May 15 11:18:24 EDT 2017
There is a long term plan to create an Admin REST API v2 which would be
much more ergonomic, and address this specific case as well. But it's not
yet on our schedule.
On Mon, May 15, 2017 at 4:59 PM, Scott Finlay <scott.finlay at sixt.com> wrote:
> That's what we're doing already at the moment, but it's not really ideal.
> Having to make two requests to the admin API in order to register a user
> means the whole process takes twice as long (roughly 300ms). It's not an
> absolutely critical issue, but still not really nice, especially if we have
> to do a batch import from a legacy system for example.
>
>
> If it's intentionally this way and there's no plan to change it then the
> documentation should be changed because it says you can provide a
> credential list (which you technically can, but that's very misleading).
> ------------------------------
> *From:* Marko Strukelj <mstrukel at redhat.com>
> *Sent:* Monday, May 15, 2017 4:50:12 PM
> *To:* Scott Finlay
> *Cc:* Alex Berg; keycloak-user at lists.jboss.org
>
> *Subject:* Re: [keycloak-user] Can't set password when registering a user
>
> You need to invoke resetPassword on UserResource, after creating a new
> user :
>
> https://github.com/keycloak/keycloak/blob/3.1.0.Final/
> testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/
> testsuite/admin/ApiUtil.java#L153-L159
>
>
>
> On Mon, May 15, 2017 at 12:01 PM, Scott Finlay <scott.finlay at sixt.com>
> wrote:
>
>> Diving into the code, I see this, which seems to be the endpoint for
>> creating a user:
>>
>>
>> https://github.com/keycloak/keycloak/blob/2.5.x/services/src
>> /main/java/org/keycloak/services/resources/admin/UsersResource.java#L207
>>
>> This then calls:
>> https://github.com/keycloak/keycloak/blob/2.5.x/services/src
>> /main/java/org/keycloak/services/resources/admin/UsersResource.java#L244
>>
>> That seems to just set the basic user data like name, email, enabled,
>> etc. Then it sets the "required actions", and then the custom attributes. I
>> see nothing regarding credentials there.
>>
>>
>> Is this just hidden away somewhere else, or is it just really missing
>> from here?
>>
>> ________________________________
>> From: Scott Finlay
>> Sent: Monday, May 15, 2017 11:14:26 AM
>> To: Alex Berg
>> Cc: keycloak-user at lists.jboss.org
>> Subject: Re: [keycloak-user] Can't set password when registering a user
>>
>>
>> Hmm, that request body doesn't look very different from my example. I've
>> tried now removing the additional fields
>>
>> I had and adding the few you have and I still get exactly the same
>> outcome: when I try impersonating the user in
>>
>> the Keycloak admin panel he has no password set (but he does when I
>> explicitly call the reset-password endpoint).
>>
>>
>> Is there some setting/role/permission I'm missing maybe? I'm using
>> version 2.5.5.Final.
>>
>> ________________________________
>> From: Alex Berg <chexxor at gmail.com>
>> Sent: Friday, May 12, 2017 6:09:59 PM
>> To: Scott Finlay
>> Cc: keycloak-user at lists.jboss.org
>> Subject: Re: [keycloak-user] Can't set password when registering a user
>>
>> I do something like that, and it works for me.
>>
>> The content of my XHR is JSON of this:
>>
>> { credentials : [
>> { type: "password"
>> , temporary: false
>> , value: regBody.password
>> }
>> ]
>> , email: regBody.email
>> , username: regBody.email
>> , emailVerified: false
>> , enabled: true
>> , requiredActions: [ "VERIFY_EMAIL" ]
>> }
>>
>> The created user's ID is available on the "location" response header.
>>
>> On Fri, May 12, 2017 at 2:27 AM, Scott Finlay <scott.finlay at sixt.com
>> <mailto:scott.finlay at sixt.com>> wrote:
>> Hi,
>>
>> According to the Keycloak admin API documentation:
>> http://www.keycloak.org/docs-api/2.5/rest-api/index.html#_cr
>> eate_a_new_user
>> -> http://www.keycloak.org/docs-api/2.5/rest-api/index.html#_us
>> errepresentation
>> -> http://www.keycloak.org/docs-api/2.5/rest-api/index.html#_cr
>> edentialrepresentation
>>
>> We should be able to provide credentials when creating a new user, but
>> when I provide credentials it doesn't seem to set the password for the new
>> user. Here is what my request looks like:
>>
>> POST /auth/admin/realms/myrealm/users/
>> {"enabled":true,"username":"blah at blop.com<mailto:blah at blop.com
>> >","email":"blah at blop.com<mailto:blah at blop.com>","firstNam
>> e":"Blah","lastName":"Blop","attributes":{"userId":["1234"]
>> },"credentials":[{"type":"password","temporary":false,"
>> value":"secr$tP4ssword"}]}
>>
>> Just as an experiment, I tried passing a single "credential" instead of
>> an array of credentials and I got this error back:
>>
>> internal server error;KeyCloak HTTP Error Response [400]:
>> com.fasterxml.jackson.databind.JsonMappingException: Can not deserialize
>> instance of java.util.ArrayList out of START_OBJECT token at [Source:
>> io.undertow.servlet.spec.ServletInputStreamImpl at 264472bc; line: 1,
>> column: 156] (through reference chain: org.keycloak.representations.i
>> dm.UserRepresentation["credentials"])
>>
>> So clearly Keycloak is actually parsing this field. Am I doing something
>> wrong with this request or is the documentation wrong?
>>
>> Right now what we've been doing to get around this is registering the
>> user and then doing a reset password request after, but this makes the
>> request to our service take twice as long. It would be great if we could
>> reduce this to a single request.
>>
>> Regards,
>> Scott
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
More information about the keycloak-user
mailing list