-
-
Save luciddreamz/83a888eedd9274b4045a3ab8af064faa to your computer and use it in GitHub Desktop.
| #!/bin/bash | |
| # requires https://stedolan.github.io/jq/download/ | |
| # config | |
| KEYCLOAK_URL=http://localhost:8080/auth | |
| KEYCLOAK_REALM=realm | |
| KEYCLOAK_CLIENT_ID=clientId | |
| KEYCLOAK_CLIENT_SECRET=clientSecret | |
| USER_ID=userId | |
| export TKN=$(curl -X POST "${KEYCLOAK_URL}/realms/${KEYCLOAK_REALM}/protocol/openid-connect/token" \ | |
| -H "Content-Type: application/x-www-form-urlencoded" \ | |
| -d "username=${KEYCLOAK_CLIENT_ID}" \ | |
| -d "password=${KEYCLOAK_CLIENT_SECRET}" \ | |
| -d 'grant_type=password' \ | |
| -d 'client_id=admin-cli' | jq -r '.access_token') | |
| curl -X GET "${KEYCLOAK_URL}/admin/realms/${KEYCLOAK_REALM}/users/${$USER_ID}" \ | |
| -H "Accept: application/json" \ | |
| -H "Authorization: Bearer $TKN" | jq . |
Did I must configure something with a client to enable this way of getting the access_token?
Hi!
Do you know if keyloac can handle the same POST request (to get a token) as JSON instead of form data?
e.g. like this:
curl -X POST http://localhost:8080/auth/realms/master/protocol/openid-connect/token \
--header "Content-Type: application/json" \
--data '{"grant_type": "password", "client_id": "admin-cli", "username": "admin", "password": "admin"}'
I am getting the following error:
{"error":"invalid_request","error_description":"Missing form parameter: grant_type"}Or is "Content-Type: application/x-www-form-urlencoded" header a requirement that can`t be bypassed?
The admin RESTful API has a base path /auth/admin/realms/
@jijiechen , so how would a rest api call for token ackquiration look like ?
@oe19fyfa For acquiring a token, I didn't test the script provided by the gist author, but I did test the request using Postman, the script here looks good.
Here is a C# code sample for getting an access token:
https://github.com/dotnetclub-net/dotnetclub/blob/dev/src/Discussion.Web/Services/UserManagement/KeyCloakUserUpdater.cs#L66
What I experienced was that the admin user token is given for master realm (Too bad that there is no proper documentation). Therefore the code should be changed as KEYCLOAK_REALM=master. This answer by Boomer is helpful https://stackoverflow.com/questions/48146410/unable-to-get-oauth-token-from-keycloak
Hi!
Do you know if keyloac can handle the same POST request (to get a token) as JSON instead of form data?
e.g. like this:
curl -X POST http://localhost:8080/auth/realms/master/protocol/openid-connect/token \ --header "Content-Type: application/json" \ --data '{"grant_type": "password", "client_id": "admin-cli", "username": "admin", "password": "admin"}'I am getting the following error:
{"error":"invalid_request","error_description":"Missing form parameter: grant_type"}Or is
"Content-Type: application/x-www-form-urlencoded"header a requirement that can`t be bypassed?
the content type is required in this example
Hi,
There is more "$" in USER_ID
users/${**$**USER_ID}
curl -X GET "${KEYCLOAK_URL}/admin/realms/${KEYCLOAK_REALM}/users/${$USER_ID}" \
-H "Accept: application/json" \
-H "Authorization: Bearer $TKN" | jq .
this is works for me:
curl -X GET "${KEYCLOAK_URL}/admin/realms/${KEYCLOAK_REALM}/users/${USER_ID}" \
-H "Accept: application/json" \
-H "Authorization: Bearer $TKN" | jq .
Anyway works :)
regards, Szabi
Thanks @jijiechen for below advise, it saved lot of time and it is working fine.
The admin RESTful API has a base path /auth/admin/realms/
Hi,
It seems that when I use my custom realm (xyz) to get the access token for the admin user, it is not working. I have to specify the realm as 'master' to get an access token for admin-cli. Can somebody please help me with this? Why can't I use my own realm (xyz) to get the token for admin user? I can see that under my own realm clients, I do have the admin-cli client available.Thanks
@hasnatsaeed Custom realms mean to manage other systems that consume these custom realms, and only the master realm is meant to manage the KeyCloak itself.
So the situation you ran into was a correct behavior, wasn't it?
Is there any way to get the groups in the user detail response? The UserRepresentation definition has the groups field, but is not returned by the api:
{'id': '314cfd91-dae1-40c1-9af9-5857c6531dc3',
'createdTimestamp': 1600373234948,
'username': 'jeudy@x.io',
'enabled': True,
'totp': False,
'emailVerified': True,
'firstName': 'Jeudy',
'lastName': 'Blanco',
'email': 'jeudy@x.io',
'disableableCredentialTypes': [],
'requiredActions': [],
'notBefore': 0,
'access': {'manageGroupMembership': True,
'view': True,
'mapRoles': True,
'impersonate': True,
'manage': True}}
@jijiechen Thanks man, you gave me a clue about my problem.
Untested! :)
Don't worry it works.
Is there any way to list all realm & client roles using Java?
For example:
@GetMapping("/roles")
public ResponseEntity<List<RoleRepresentation>> getRoles() {
Keycloak keycloak = getKeycloakInstance();
ClientRepresentation clientRepresentation = keycloak.realm(keycloakRealm).clients().findByClientId(keycloakClient).get(0);
List<RoleRepresentation> roles = keycloak.realm(keycloakRealm).clients().get(clientRepresentation.getId()).roles().list();
return ResponseEntity.ok(roles);
}
Above code is to list all client roles. I want to list realm roles.
Thanks
If anyone like me will try this script on newer Keycloak and it does not work, see: https://stackoverflow.com/questions/70577004/keycloak-could-not-find-resource-for-full-path
Thank you!
It's worked for me
On keycloak 21.0.1 the following works for me:
#!/bin/bash
# requires https://stedolan.github.io/jq/download/
# config
KEYCLOAK_URL=http://localhost:8080 # NOTE: no /auth
KEYCLOAK_REALM=realm
KEYCLOAK_CLIENT_ID=clientId
KEYCLOAK_CLIENT_SECRET=clientSecret
USER_ID=userId
export TKN=$(curl -X POST "${KEYCLOAK_URL}/realms/${KEYCLOAK_REALM}/protocol/openid-connect/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "client_id=${KEYCLOAK_CLIENT_ID}" \
-d "client_secret=${KEYCLOAK_CLIENT_SECRET}" \
-d 'grant_type=client_credentials' | jq -r '.access_token')
curl -X GET "${KEYCLOAK_URL}/admin/realms/${KEYCLOAK_REALM}/users/${USER_ID}" \
-H "Accept: application/json" \
-H "Authorization: Bearer $TKN" | jq .In the client config:
Client authentication: On
Direct access grants: On
Service account roles: On
Under "Service Account Roles" assign the manage-users role.
Raw HTTP format:
POST http://localhost:8080/realms/YOUR_REALM/protocol/openid-connect/token
Content-Type: application/x-www-form-urlencoded
grant_type=password&client_id=admin-cli&username=YOUR_USER&password=YOUR_PASSWORDExample using defaults:
POST http://localhost:8080/realms/master/protocol/openid-connect/token
Content-Type: application/x-www-form-urlencoded
grant_type=password&client_id=admin-cli&username=admin&password=admin
Just as hint:
We had issues with passwords which contains non ASCII characters.
We were able to fix this by replacing:
-d "password=${KEYCLOAK_CLIENT_SECRET}" \with
--data-urlencode "password=${KEYCLOAK_CLIENT_SECRET}" \
Untested! :)