0

I want to create a client through REST API, for that i need to pass an intial access token(generated by client registration in keycloak) with my request.

My question here is how can i generate that intial access token through REST API. Can anyone help?

This is the token that I'm passing with my url:

Here is the screenshot of the response when I try to get the initial access token needed for registering a client by passing a body of parm count and expiration with login token for admin-cli in header:

Yaron
  • 1,199
  • 1
  • 15
  • 35
TJ32
  • 293
  • 2
  • 7
  • 20

2 Answers2

3

With a simple GET REST-Request, you can get a token you can use for later requests

GET "grant_type=password&client_id=admin-cli&username=$USERNAME&password=$PASSWORD" "$HOST/auth/realms/$REALM/protocol/openid-connect/token"

as bash (jq must be installed):

#get admin bearer token
AUTH_RESPONSE_KC_ADMIN=$(curl  --silent -d "grant_type=password&client_id=admin-    cli&username=$USERNAME&password=$PASSWORD" "$HOST/auth/realms/master/protocol/openid-connect/token")
if [[ $AUTH_RESPONSE_KC_ADMIN != *"access_token"* ]]; then
  echo "No access token for keycloak admin!"
  echo $AUTH_RESPONSE_KC_ADMIN
  exit -1
fi
TOKEN_KC_ADMIN=$(echo $AUTH_RESPONSE_KC_ADMIN | jq -r '.access_token')
AUTH_TOKEN_KC_ADMIN="Authorization: Bearer $TOKEN_KC_ADMIN"

But this access token is only valid for some time (depending on keycloak settings)

To create a client with REST:

#use: create_client clientName
function create_client {
  CLIENT='{"enabled":true,"attributes":{},"redirectUris":["*"],"clientId":"'$1'","protocol":"openid-connect", "secret":"'$SECRET'","clientAuthenticatorType":"client-secret","publicClient":"false"}'
  curl -i --silent -d "$CLIENT" -H "$AUTH_TOKEN_KC_ADMIN" -H "$CONTENT_TYPE" $HOST/auth/admin/realms/$REALM/clients | head -1
}
Julian Egner
  • 221
  • 3
  • 8
  • i want to create client through client registration service in keycloak. – TJ32 Nov 22 '19 at 11:48
  • for that i need to get an intial access token, i found the url from keycloak documentation . the url that i have passed is .... /auth/admin/realms/master/clients-initial-access... the body is { "count": 5, "expiration": 10 } – TJ32 Nov 22 '19 at 11:51
  • i am also passing the login token as header with the request ....but the response is 403 unknown error.... can you plz help – TJ32 Nov 22 '19 at 11:53
  • maybe this helps? https://stackoverflow.com/questions/46470477/how-to-get-keycloak-users-via-rest-without-admin-account?rq=1 – Julian Egner Nov 22 '19 at 12:09
  • no it didnt work ... i have added the screen shot of the response with the question....hope it will be useful for you to understand my problem – TJ32 Nov 25 '19 at 10:24
  • You are sending a GET request. Shouldn't it be a POST? https://www.keycloak.org/docs-api/8.0/rest-api/index.html#_client_initial_access_resource – Julian Egner Nov 25 '19 at 15:15
0

In order to get the initial access token for client registration ,first we need to set the client role of admin-cli as realm-{name} and select client-create from it. Then get the admin bearer token for admin-cli and pass it along with the url for initial access token.

TJ32
  • 293
  • 2
  • 7
  • 20