stackoom
  简体   繁体   中英

403 during user creation using keycloak-admin-client

 原文  2019-11-12 12:31:11       java/ keycloak

Question

I am trying to create a new user with java-admin-client. I created a new client in my realm using keycloak UI.

Client:

access type: confidential

roles: view-users, view-realm, view-clients, manage-users (these roles are just added by name in keycloak UI)

Code:

final Keycloak keycloak = KeycloakBuilder.builder()
    .serverUrl("https://{keycloakurl}/auth")
    .realm(realm)
    .grantType(OAuth2Constants.CLIENT_CREDENTIALS)
    .clientId("client")
    .clientSecret("uuidSecret")
    .build();

final UserRepresentation user = new UserRepresentation();
user.setEnabled(true);
user.setUsername("test");
user.setFirstName("test1");
user.setLastName("test2");
user.setEmail("test@test.com");
user.setAttributes(Collections.singletonMap("origin", Arrays.asList("demo")));

final RealmResource realmResource = keycloak.realm(realm);
final UsersResource userResource = realmResource.users();

final Response response = userResource.create(user);

The last line is giving me 403 Forbidden.

1 answers

solution1
 1 ACCPTED  2019-11-12 17:10:34

I think 403 as you have no role 'manage-users'. Add to your user fro 'realm-management' client, inside your realm.

We created one service-account user, just to query users by uuid. These three files does that, plus properties from application.properties. Update code and try what you wanted

@EnableOAuth2Client
@Configuration
public class KeycloakConfiguration {

//  token-service-uri=https://keycloak.internal/auth/realms/some-realm/protocol/openid-connect/token
//  admin-query.client-id=client
//  admin-query.username=service-account
//  admin-query.password=password
//  admin-query.admin-base-url=https://keycloak.internal/auth/admin/realms/realm

@Value("${token-service-uri}")
private String tokenServiceUri;

@Value("${admin-query.client-id}")
private String clientId;

@Value("${keycloak.credentials.secret}")
private String clientSecret;

@Value("${admin-query.username}")
private String username;

@Value("${admin-query.password}")
private String password;


private final String grantType = "password";


@Bean
public OAuth2ProtectedResourceDetails cryptoKeycloakResourceDetails() {

    ResourceOwnerPasswordResourceDetails details = new ResourceOwnerPasswordResourceDetails();
    details.setAccessTokenUri(tokenServiceUri);
    details.setClientId(clientId);
    details.setClientSecret(clientSecret);
    details.setGrantType(grantType);
    details.setUsername(username);
    details.setPassword(password);

    return details;
}


@Bean
public OAuth2RestTemplate cryptoKeycloakRestTemplate(OAuth2ClientContext clientContext) throws Exception {

    // build template with custom SSL TrustStrategy

    TrustStrategy acceptingTrustStrategy = (X509Certificate[] chain, String authType) -> true;
    SSLContext sslContext = org.apache.http.ssl.SSLContexts.custom()
            .loadTrustMaterial(null, acceptingTrustStrategy)
            .build();
    SSLConnectionSocketFactory csf = new SSLConnectionSocketFactory(sslContext);

    CloseableHttpClient httpClient = HttpClients.custom()
            .setSSLSocketFactory(csf)
            .build();

    HttpComponentsClientHttpRequestFactory requestFactory = new HttpComponentsClientHttpRequestFactory();
    requestFactory.setHttpClient(httpClient);

    AuthorizationCodeAccessTokenProvider authCodeAccessTokenProvider = new AuthorizationCodeAccessTokenProvider();
    authCodeAccessTokenProvider.setRequestFactory(requestFactory);

    ImplicitAccessTokenProvider implicitAccessTokenProvider = new ImplicitAccessTokenProvider();
    implicitAccessTokenProvider.setRequestFactory(requestFactory);

    ResourceOwnerPasswordAccessTokenProvider resourceOwnerTokenProvider = new ResourceOwnerPasswordAccessTokenProvider();
    resourceOwnerTokenProvider.setRequestFactory(requestFactory);

    ClientCredentialsAccessTokenProvider clientCredentialsTokenProvider = new ClientCredentialsAccessTokenProvider();

    AccessTokenProvider accessTokenProvider = new AccessTokenProviderChain(
            Arrays.<AccessTokenProvider> asList(authCodeAccessTokenProvider, implicitAccessTokenProvider,
                    resourceOwnerTokenProvider, clientCredentialsTokenProvider));

    AccessTokenRequest request = new DefaultAccessTokenRequest();
    OAuth2RestTemplate template = new OAuth2RestTemplate(cryptoKeycloakResourceDetails(), new DefaultOAuth2ClientContext(request));
    template.setAccessTokenProvider(accessTokenProvider);
    template.setRequestFactory(requestFactory);
    return template;
}
}



import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.security.oauth2.client.OAuth2RestOperations;
import org.springframework.stereotype.Service;
import org.springframework.web.client.HttpClientErrorException;

import java.util.HashMap;
import java.util.Map;

@Service
@Slf4j
public class KeycloakAdminQueryService {

@Autowired
private OAuth2RestOperations cryptoKeycloakRestTemplate;

@Value("${admin-query.admin-base-url}")
private String keycloakAdminQueryBaseUrl;

public KeycloakUserProfile getUserProfile(final String userId) 
        throws UserProfileNotFoundException {

    Map<String,Object> uriVars = new HashMap<String,Object>();
    uriVars.put("userId", userId);

    try {
        ResponseEntity<KeycloakUserProfile> response = cryptoKeycloakRestTemplate.getForEntity(
                keycloakAdminQueryBaseUrl + "/users/{userId}", KeycloakUserProfile.class, uriVars);
        return response.getBody();

    } catch (HttpClientErrorException e) {
        if (e.getStatusCode() == HttpStatus.NOT_FOUND) {
            throw new UserProfileNotFoundException("Keycloak could not find user: " + userId, e);
        } else {
            throw e;
        }
    } 
}
}



@Data
public class KeycloakUserProfile {

private String id;
private String createdTimestamp;
private String username;
private boolean enabled;
private boolean totp;
private boolean emailVerified;
private String firstName;
private String lastName;
private String email;
private List<String> disableableCredentialTypes;
private List<String> requiredActions;
private int notBefore;
private Access access;


@Data
public static class Access {
    private boolean manageGroupMembership;
    private boolean view;
    private boolean mapRoles;
    private boolean impersonate;
    private boolean manage;
}

}

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Cannot create user in Keycloak with keycloak-admin-client Keycloak-admin-client - turn off logging Failed adding user by keycloak-admin-client to Keycloak due to “unknown resource” Keycloak-admin-client always returns null in springboot keycloak-admin-client integration with Payara: RestEasy Exception Keycloak-Admin-Client in a JPMS/Jigsaw Java 11 Maven application - Dependency Problems Displaying a User Email using keycloak Admin Client not working(UnrecognizedPropertyException) Create user in keycloak through keycloak admin client returns 400 Create user in keycloak through keycloak admin client returns IllegalArgumentException create user programmatically using keycloak admin client for a client that has acces-type public
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM