[keycloak-user] Exclude a user with realm-management role from keycloak's password policy

Firoz Ahamed firozpalapra at outlook.com
Fri Mar 22 11:50:58 EDT 2019


Glad I could help !

Get Outlook for Android<https://aka.ms/ghei36>

________________________________
From: Fateh <fateh.alchhabi at gmail.com>
Sent: Friday, March 22, 2019 3:08:13 PM
To: Firoz Ahamed
Subject: Re: [keycloak-user] Exclude a user with realm-management role from keycloak's password policy

Hi Firoz

Thanks for the great help I follow the steps and it is working like a charm

Best regards
Fateh Alchhabi


On Wed, Mar 20, 2019 at 7:23 PM Firoz Ahamed <firozpalapra at outlook.com<mailto:firozpalapra at outlook.com>> wrote:
Hi Fateh,

You will not find the clients from the other realm in the master realms role mapping however you will find a special client with the name with the pattern <REALM_NAME>-realm where realm name is the realm you want this user to manage.

Assign the roles under this special client to the user. Once this user is assigned the realm management roles, it will be able to perform the admin calls on the other realm.

To perform the operations, what we do is:

  1.  Hit the token endpoint of the master realm with the admin-cli client passing the user name and password. This gives us an access token.
  2.  We use the access token which we obtained above to make the further admin calls by sending it as the bearer token.


We use this method in our java script clients and I am not sure if this would help with your java client.

Regards,

Sent from Mail<https://go.microsoft.com/fwlink/?LinkId=550986> for Windows 10

________________________________
From: Fateh <fateh.alchhabi at gmail.com<mailto:fateh.alchhabi at gmail.com>>
Sent: Tuesday, March 19, 2019 6:47:32 PM
To: Firoz Ahamed
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Exclude a user with realm-management role from keycloak's password policy

Hi Firoz

Thanks for the answer, but I could not achieve the expected result
First of all, I am using Keycloak-4.4.0.Final and I could not find  Role Mappings tab  for the client

Here the steps I followed :

  *   I went to Master realm create user sysAdmin then on the left from the user page >> Role Mapping >> Client Roles >> in the drop menu I found the client from the Master realm only but not from the other realms. So I assigned to  the master-realm all the roles inside
  *   in the other realm I have a client with those values

<secure-deployment name="WAR MODULE NAME.war">
    <realm>Nosg-Realm</realm>
    <auth-server-url>http://localhost:8180/auth</auth-server-url>
    <ssl-required>EXTERNAL</ssl-required>
    <resource>whereoil-rest-api</resource>
    <credential name="secret">4ab9fac1-xxxxxxx-xxxxxxx-xxxxxxxxxx</credential>
    <use-resource-role-mappings>true</use-resource-role-mappings>
</secure-deployment>

  *   I am using Java client to fetch all user and roles list via this code
Keycloak keycloak = KeycloakBuilder.builder()
.serverUrl("http://localhost:8180/auth")
.realm("Nosg-Realm")
.grantType(OAuth2Constants.PASSWORD)
.clientId("whereoil-rest-api")
.clientSecret(" 4ab9fac1-xxxxxxx-xxxxxxx-xxxxxxxxxx  ")
.username("sysadmin") //master Realm user
.password("xxxxx")
.build();

RealmResource realmResource = keycloak.realm("Nosg-Realm");
realmResource.users().search("User from Nosg-Realm");


I hope this could clarify it more



Best regards
Fateh Alchhabi


On Fri, Mar 15, 2019 at 2:11 PM Firoz Ahamed <firozpalapra at outlook.com<mailto:firozpalapra at outlook.com>> wrote:

Hi,



You could create a new user in the master realm and assign the Realm management roles for the specific realm using the Role Mappings tab -> Client Role  . In order to manage the other realm, get the token for the newly created user from the master realm and then send that token in your API calls.



The ability to assign realm management for other realms is only available for users in the master realm.



Hope this helps.



Sent from Mail<https://go.microsoft.com/fwlink/?LinkId=550986> for Windows 10



________________________________
From: keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org> <keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org>> on behalf of Fateh <fateh.alchhabi at gmail.com<mailto:fateh.alchhabi at gmail.com>>
Sent: Friday, March 15, 2019 6:25:25 PM
To: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: [keycloak-user] Exclude a user with realm-management role from keycloak's password policy

Problem: I have a user with Client Roles realm-management in a realm called
xx which contains password policy.
I want to exclude this user from the password policy since this user
responsible to fetch the roles, users and do some updates via Java API
and I don't want all the operation to stop until we update the user password
when the password policy triggered

Ps. I tried to use the admin user from the master realms I could n't get
data out of the master realm


I would appreciate any Help or ideas?



--
Sent from: http://keycloak-user.88327.x6.nabble.com/
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


More information about the keycloak-user mailing list