25

First of all I am very new to Keycloak and excuse me if something I am asking might be wrong.

I have installed the Keycloak server and I can access the Web UI for the same using:

http://localhost:8008/auth

My requirement is to validate a realm user by passing it to k Keycloak API and to get the token from there in response, and then pass this token for my other Web API calls.

But I was not able to find a simple guide on how I can do this...

UPDATE:

USING UI from KEYCLOAK:

So far now:

  • I am able to create a realm: e.g: DemoRealm

  • Under the Realm I have created the client: e.g: DemoClient

  • Under the client I have created the user: e.g: DemoUser

USING POSTMAN:

I am also able to successfully get the token using

http://localhost:8080/auth/realms/DemoRelam/protocol/openid-connect/token

POST:
{
"grant_type": "client_credentials",
"username": "",
"password": "",
"client_secret":"",
"client_id":"DemoClient"
}

In response I am getting the token.

{
    "access_token": "eyJhbGciOiJSUzI1NiIsINVSHGhepnDu13SwRBL-v-y-04_6e6IJbMzreZwPI-epwdVPQe-ENhpvms2WdGM_DmgMLZ8YQFS4LDl9R7ZHT8AgXe-WCFV6OFkA7zvdeFwQ4kVVZE0HlNgHgoi4DrgMfwwz_ku1yJNJP3ztTY1nEqmA",
    "expires_in": 300,
    "refresh_expires_in": 1800,
    "refresh_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJRRnB5YlloMGVEektIdlhOb3JvaFUxdlRvWVdjdP3vbfvk7O0zvppK9N4-oaUqZSr0smHv5LkuLDQYdPuxA",
    "token_type": "bearer",
    "not-before-policy": 0,
    "session_state": "bb1c586a-e880-4b96-ac16-30e42c0f46dc"
}

Furthermore I was diving into more details and found this API guide:

http://www.keycloak.org/docs-api/3.0/rest-api/index.html#_users_resource

In this guide it's mentioned that I can get the users for the realm using Get users Returns a list of users, filtered according to query parameters

GET /admin/realms/{realm}/users

But when I am using POSTMAN to get the users I am getting 403 error code. I am passing the same token as on authentication which I got in the earlier step.

http://localhost:8080/auth/admin/realms/DemoRelam/users

Can anyone please guide me?

SparkFountain
  • 2,110
  • 15
  • 35
Rohitesh
  • 1,514
  • 7
  • 28
  • 51
  • Do you mean you just now installed the keycloak and run it while it's not integrated with we b application ? If you will see too many things avaiable over internet and keycloak documentation how to integrated keycloak with web application – Subodh Joshi Mar 30 '18 at 15:40
  • @SubodhJoshi i don't want to integrate the keycloak with web application. I was to pass the user/client under relam and get the token and pass this token to some other api where again i'll validate this token – Rohitesh Mar 30 '18 at 15:52
  • With ui it may not possible use the keycloak rest api or admin-cli . – Subodh Joshi Mar 30 '18 at 15:59
  • @SubodhJoshi i have updated my question with what i achieved till now can you help me out . – Rohitesh Mar 30 '18 at 16:00
  • I think this will help you. have got the access token but don't know how to test this using postman. > you should just need to add the authrisation header in Postman, have got the access token but don't know how to test this using postman. > you should just need to add the authorization header in Postman, http://stackoverflow.com/questions/24709944/jwt-token-in-postman-header I found this see if it will help you otherwise I can write proper answer morning only right now I am using my mobile for coment. – Subodh Joshi Mar 30 '18 at 16:11
  • @SubodhJoshi thank you very much i will post whether its working or not . One more question for now i am getting the token at client level can it is possible to get the token at user level – Rohitesh Mar 30 '18 at 16:14
  • @SubodhJoshi i think its authenticating so i am not getting 401 but instead i am getting 403 error code.It seems some authorization error. I don't know for what reason i am getting this – Rohitesh Mar 30 '18 at 16:16
  • 403 forbidden tells us that we don't have permission to see the requested resource,it's mainly due to permission . In many cases if you are using https and didn't import certificate into client it will throw 403 forbidden error. – Subodh Joshi Mar 30 '18 at 16:23
  • See this will surely help you. https://stackoverflow.com/q/46470477/476828 – Subodh Joshi Mar 30 '18 at 16:28
  • @SubodhJoshi thank you so much its working. – Rohitesh Mar 30 '18 at 16:55
  • @SubodhJoshi One more question for now i am getting the token at client level can it is possible to get the token at user level – Rohitesh Mar 30 '18 at 16:56
  • Here something for you. Getting tokens over REST endpoints for regular users is not the right way for many reasons. It's not SSO, less secure, exposes authentication details as well as credentials to the applications, etc, etc.. – Subodh Joshi Mar 30 '18 at 17:23
  • @SubodhJoshi so you mean to say that there will be a group of users under one client and then we need to get the token for that client instead of individual users.please correct me if i am wrong. – Rohitesh Mar 30 '18 at 17:27
  • Each realm may or may not contain more than one client.If you will check master realm it have more than one client by default and realm only contain more than one user/group etc info. – Subodh Joshi Mar 30 '18 at 17:34

3 Answers3

35

You have 2 choices: you can act on behalf of some user (as Adnan Khan pointed out), or create a dedicated client for this.

On behalf of the user

1) create a confidential client (I suppose you already got one)

2) create a user and assign an appropriate role/s to it: e.g. view-users from the realm-management group

3) get the token (I'm using curl and jq):

KCHOST=https://yourkeycloak.com
REALM=realm
CLIENT_ID=confidential-client
CLIENT_SECRET=xxxxxxx-yyyyyy-zzzzzzzz
UNAME=user
PASSWORD=passwd

ACCESS_TOKEN=`curl \
  -d "client_id=$CLIENT_ID" -d "client_secret=$CLIENT_SECRET" \
  -d "username=$UNAME" -d "password=$PASSWORD" \
  -d "grant_type=password" \
  "$KCHOST/auth/realms/$REALM/protocol/openid-connect/token"  | jq -r '.access_token'`

4) finally call the Admin REST API users endpoint:

curl -X GET -H "Authorization: Bearer $ACCESS_TOKEN" $KCHOST/auth/admin/realms/$REALM/users | jq

On behalf of the client (Service account)

1) create a confidential client and make sure to toggle the Service Accounts Enabled setting to On

2) go over to the Service account roles tab and select the appropriate role for this client, e.g. realm-admin from the realm-management group

3) get the access token

KCHOST=https://yourkeycloak.com
REALM=realm
CLIENT_ID=protector-of-the-realm
CLIENT_SECRET=xxxxxxx-yyyyyyyy-zzzzzzzzz

ACCESS_TOKEN=`curl \
  -d "client_id=$CLIENT_ID" -d "client_secret=$CLIENT_SECRET" \
  -d "grant_type=client_credentials" \
  "$KCHOST/auth/realms/$REALM/protocol/openid-connect/token"  | jq -r '.access_token'`

4) call the REST API endpoint: 

curl -X GET -H "Authorization: Bearer $ACCESS_TOKEN" $KCHOST/auth/admin/realms/$REALM/users | jq

P.S. For debugging I have just written a CLI tool called brauzie that would help you fetch and analyse your JWT tokens (scopes, roles, etc.). It could be used for both public and confidential clients. You could as well use Postman and https://jwt.io

HTH :)

maslick
  • 2,903
  • 3
  • 28
  • 50
2

Users in keycloak are realm specific and not every user is allowed to access them. You will be able to get all the users through the admin API after you assign a specific role to the user in the admin dashboard. Simply do

  1. In the admin dashboard, go to

Users > myuser > Role Mappings > Client roles > realm-management

  1. Assign the user any of the two roles manage-users or view-users.

  2. Generate a new token.

  3. Hit API with new token

and you will have your users

P.s I think you should update your question header to something more relevant.

Adnan Khan
  • 387
  • 2
  • 12
0

To simplify the steps if you already have either a client and a user in a specific realm:

curl -L -X POST 'https://<idp-domain>/realms/<some-realm>/protocol/openid-connect/token' \
--data-urlencode 'client_id=<client-ip>' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'scope=openid api' \
--data-urlencode 'username=<username>' \
--data-urlencode 'password=<user-password>' \
--data-urlencode 'totp=<totp-if-using-mfa>'

Notice the last argument passed totp, which was not mentioned in the other answers, in case you are using multi-factor authentication.

or for if you have a service client:

curl -L -X POST 'https://<idp-domain>/realms/<some-realm>/protocol/openid-connect/token' \
--data-urlencode 'client_id=<client-id>' \
--data-urlencode 'client_secret=<client-secret>' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'scope=<scope>'
Mohammed Noureldin
  • 14,913
  • 17
  • 70
  • 99