[keycloak-user] How to configure Keycloak Admin Client to only access a specific Realm?

Alex Berg chexxor at gmail.com
Tue May 30 22:59:24 EDT 2017


You need to give the user the "realm-admin" role. Read the admin api docs a
little closer - it's mentioned in there. I use "client_credentials" method,
so I give that role to the client itself.

On May 30, 2017 20:40, "Celso Agra" <celso.agra at gmail.com> wrote:

> Hi all,
>
> I'm trying to configure keycloak to manage users in a specific realm. Here
> is my code:
>
> *Keycloak kc = KeycloakBuilder.builder()*
> *    .serverUrl("http://localhost:8080/auth <http://localhost:8080/auth>")
> *
> *    .realm("realm1").username("user")*
> * .password("secret")*
> *    .clientId("admin-cli")*
> *    .resteasyClient(new
> ResteasyClientBuilder().connectionPoolSize(10).build()*
> *    ).build();*
>
>
> *RealmResource realmResource = kc.realm("realm1");*
> *UsersResource userRessource = realmResource.users();*
> *System.out.println("Count: " + userRessource.count());*
>
>
> When I run this code, I'm getting this error:
>
> *javax.ws.rs.BadRequestException: HTTP 400 Bad Request*
> * at
> org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.
> handleErrorStatus(ClientInvocation.java:212)*
> * at
> org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.extractResult(
> ClientInvocation.java:189)*
> * at
> org.jboss.resteasy.client.jaxrs.internal.proxy.extractors.
> BodyEntityExtractor.extractEntity(BodyEntityExtractor.java:60)*
> * at
> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(
> ClientInvoker.java:107)*
> * at
> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(
> ClientProxy.java:76)*
> * at com.sun.proxy.$Proxy32.grantToken(Unknown Source)*
> * at
> org.keycloak.admin.client.token.TokenManager.grantToken(
> TokenManager.java:89)*
> * at
> org.keycloak.admin.client.token.TokenManager.getAccessToken(TokenManager.
> java:69)*
> * at
> org.keycloak.admin.client.token.TokenManager.getAccessTokenString(
> TokenManager.java:64)*
> * at
> org.keycloak.admin.client.resource.BearerAuthFilter.
> filter(BearerAuthFilter.java:52)*
> * at
> org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(
> ClientInvocation.java:431)*
> * at
> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(
> ClientInvoker.java:105)*
> * at
> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(
> ClientProxy.java:76)*
> * at com.sun.proxy.$Proxy40.count(Unknown Source)*
> * at
> pe.gov.br.ati.service.KeycloakClientService.validateAndInsertUser(
> KeycloakClientService.java:72)*
> * at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)*
> * at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)*
> * at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)*
> * at java.lang.reflect.Method.invoke(Unknown Source)*
> * at org.apache.camel.component.bean.MethodInfo.invoke(
> MethodInfo.java:408)*
> * at
> org.apache.camel.component.bean.MethodInfo$1.doProceed(
> MethodInfo.java:279)*
> * at
> org.apache.camel.component.bean.MethodInfo$1.proceed(MethodInfo.java:252)*
> * at
> org.apache.camel.component.bean.BeanProcessor.process(
> BeanProcessor.java:177)*
> * at
> org.apache.camel.management.InstrumentationProcessor.process(
> InstrumentationProcessor.java:77)*
> * at
> org.apache.camel.processor.RedeliveryErrorHandler.process(
> RedeliveryErrorHandler.java:468)*
> * at
> org.apache.camel.processor.CamelInternalProcessor.process(
> CamelInternalProcessor.java:196)*
> * at org.apache.camel.processor.Pipeline.process(Pipeline.java:121)*
> * at org.apache.camel.processor.Pipeline.process(Pipeline.java:83)*
> * at
> org.apache.camel.processor.CamelInternalProcessor.process(
> CamelInternalProcessor.java:196)*
> * at
> org.apache.camel.component.direct.DirectProducer.process(
> DirectProducer.java:62)*
> * at
> org.apache.camel.processor.SendProcessor.process(SendProcessor.java:145)*
> * at
> org.apache.camel.management.InstrumentationProcessor.process(
> InstrumentationProcessor.java:77)*
> * at
> org.apache.camel.processor.RedeliveryErrorHandler.process(
> RedeliveryErrorHandler.java:468)*
> * at
> org.apache.camel.processor.CamelInternalProcessor.process(
> CamelInternalProcessor.java:196)*
> * at org.apache.camel.processor.Pipeline.process(Pipeline.java:121)*
> * at org.apache.camel.processor.Pipeline.process(Pipeline.java:83)*
> * at
> org.apache.camel.processor.CamelInternalProcessor.process(
> CamelInternalProcessor.java:196)*
> * at
> org.apache.camel.util.AsyncProcessorHelper.process(
> AsyncProcessorHelper.java:109)*
> * at *
> * ...*
>
>
> But when I change the realm to "master", such as:
>
> *Keycloak kc = KeycloakBuilder.builder()*
> *    .serverUrl("http://localhost:8080/auth <http://localhost:8080/auth>")
> *
> *    .realm("master").username("admin")*
> * .password("admin123!")*
> *    .clientId("admin-cli")*
> *    .resteasyClient(new
> ResteasyClientBuilder().connectionPoolSize(10).build()*
> *    ).build();*
>
> *RealmResource realmResource = kc.realm("realm1");*
> *UsersResource userRessource = realmResource.users();*
> *System.out.println("Count: " + userRessource.count());*
>
>
> The code works fine.
> I'd like to know if the admin user in the master realm is the only way to
> add users using the keycloak Admin Client.
>
> Is anybody get this same issue?
>
> Best Regards
>
> --
> ---
> *Celso Agra*
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


More information about the keycloak-user mailing list