[keycloak-user] Create realm from java admin client with access token vs username+password

Marko Strukelj mstrukel at redhat.com
Fri Mar 9 14:02:46 EST 2018


You're not using AdminClient API but AuthorizationClient API which is a
different API.

Using AdminClient API is as simple as:

Keycloak keycloak = Keycloak.getInstance(
        keycloakBaseUrl,
        "master",
        username,
        password,
        "admin-cli");




On Fri, Mar 9, 2018 at 6:07 PM, Nhut Thai Le <ntle at castortech.com> wrote:

> Thank you for your suggestion and the link. Since i am making a stand
> alone java app to create realms dynamically, i'm using the Keycloak
> admin-client and authz-client in my code. As suggested in the document, i
> set Access Type to Confidential, turned on Service Account Enabled and
> assign create-realm role to service account for admin-cli client in the
> master realm.
> My code is pretty straight forward:
> String realmName = "Realm5";
>
>     Map<String, Object> adminCliSecret = new HashMap<String, Object>();
>     adminCliSecret.put("secret", "3b7122d9-1fe0-4417-9407-33818153c7fa");
>     Configuration adminClientConfig = new Configuration();
>     adminClientConfig.setAuthServerUrl("http://localhost:8180/auth");
>     adminClientConfig.setRealm("master");
>     adminClientConfig.setResource("admin-cli");
>     adminClientConfig.setCredentials(adminCliSecret);
>
>     AuthzClient authzClient = AuthzClient.create(adminClientConfig);
>     String serviceAccountAccessToken = authzClient.obtainAccessToken("admin-cli",
> "3b7122d9-1fe0-4417-9407-33818153c7fa").getToken(); //GET 401 HERE
>     createNewRealm(realmName, serviceAccountAccessToken);
>
> I got 401 when trying to get the access token, seem like the AuthzClient
> uses grant_type=password instead of client_credential. However, there is no
> method to set grant_type for the AuthzClient.
>
> Is the AuthzClient not supposed to be used to get access token for Service
> Account ? If it's not then is there other client i can use or i have to
> issue http request manually ?
>
> Thai
>
> On Fri, Mar 9, 2018 at 4:12 AM, Marko Strukelj <mstrukel at redhat.com>
> wrote:
>
>> Sometimes you already have an access token - your java client may have a
>> custom login mechanism for example that delegates username and password
>> input in order to retrieve it interactively from user. In that case client
>> doesn't even have to know about username and password - it only receives
>> fresh access and refresh tokens for example. A concrete example is
>> Registration Client CLI which stores the tokens in a private file so it
>> doesn't need to ask client for username and password all the time, and can
>> just use a still valid access token / refresh token.
>>
>> For your case you'll want to create a custom client configuration,
>> protect it with clientId and client secret (or signed jwt), and enable the
>> service account for that client.
>>
>> See: http://www.keycloak.org/docs/latest/server_admin/index.html#
>> _service_accounts
>>
>>
>>
>> On Wed, Mar 7, 2018 at 8:31 PM, Nhut Thai Le <ntle at castortech.com> wrote:
>>
>>> Hello,
>>>
>>> In the admin client i see there is an overload method to create Keycloak
>>> instance using a token, (Keycloak.getInstance(serverUrl, realm,
>>> clientId,
>>> authToken)), is this considered more secure than using the
>>> username+password since if i'm using the access token in the method
>>> above,
>>> i still need to make another call earlier with the username + password to
>>> get the token, either way, the username +password will be in my code
>>> repo.
>>>
>>> I think i can create an account in the master realm with role
>>> create-realm,
>>> can I use that as a service account or there is an existing service
>>> account
>>> somewhere in the master realm?
>>>
>>> I'm trying to integrate keycloak to my multitenancy application where
>>> each
>>> client has his own realm to config his security. My application need to
>>> create the realm when the client register to my app.
>>>
>>> Thai
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>


More information about the keycloak-user mailing list