Home > Mobile >  Allow client to retrieve users from keycloak
Allow client to retrieve users from keycloak

Time:12-11

I want to let my client application access user information from keycloak. Therefore, I created another realm (myrealm1) in keycloak and within that realm I created a new client (myclient1).

keycloak configuration:

Client configuration

Client myclient1 configuration

Actually, I tried a lot of other combinations without success.

In the client scopes tab, I added the admin client scope In the service account roles tab, I added the admin role

Client scope configuration

For the admin client scope, I assigned the admin role in the scope tab.

Realm role configuration

For the admin realm role, I assigned the admin role in the associated role tab.

REST API Calls

These are the REST API calls I am using

curl --location --request POST 'http://localhost:8080/realms/myrealm/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=myclient1' \
--data-urlencode 'client_secret=PehR9f95woZmEEHcKfSgPaosu1Yt6P9s' \
--data-urlencode 'grant_type=client_credentials'

Returns

{
    "access_token": "eyJhbGciOiJS...",
    "expires_in": 300,
    "refresh_expires_in": 0,
    "token_type": "Bearer",
    "not-before-policy": 0,
    "scope": "email profile admin"
}

So far so good, I do get a token.

curl --location --request GET 'http://localhost:8080/admin/realms/myrealm/users' \
--header 'Accept: application/json' \
--header 'Authorization: Bearer eyJhbGciOiJS...'

Returns HTTP 403

{
    "error": "unknown_error"
}

This is not as expected. The expected result would be the user information.

Btw, I do get it working for the admin user of the master realm

curl --location --request POST 'http://localhost:8080/realms/master/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=admin-cli' \
--data-urlencode 'username=admin' \
--data-urlencode 'password=password' \
--data-urlencode 'grant_type=password'

But this is not what I want. I would like to get it working for my custom client.

Setup

I am using keycloak 19.0.3

My question

What is missing to get it working? I. e. How do I enable my client to make use of the keycloak REST APIs such as /admin/realms/myrealm/users

CodePudding user response:

You need to go to:

  • your realm;
  • your Client;
  • then go to service account;

enter image description here

  • Click on Assign Role;
  • Select Filter by clients;
  • and search for 'realm-management'

enter image description here

  • Select and assign the desired roles.

Page link:https//www.codepudding.com/Mobile/638857.html

Prev:How to disable autofill on the TextField for a macOS?
Next:webscrapping using python and selenium
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding