![](/img/trans.png)
[英]Cannot create user in Keycloak with keycloak-admin-client
[英]403 during user creation using keycloak-admin-client
我正在嘗試使用 java-admin-client 創建一個新用戶。 我使用 keycloak UI 在我的 realm 中創建了一個新客戶端。
客戶:
訪問類型:機密
角色:view-users、view-realm、view-clients、manage-users(這些角色只是在 keycloak UI 中按名稱添加)
代碼:
final Keycloak keycloak = KeycloakBuilder.builder()
.serverUrl("https://{keycloakurl}/auth")
.realm(realm)
.grantType(OAuth2Constants.CLIENT_CREDENTIALS)
.clientId("client")
.clientSecret("uuidSecret")
.build();
final UserRepresentation user = new UserRepresentation();
user.setEnabled(true);
user.setUsername("test");
user.setFirstName("test1");
user.setLastName("test2");
user.setEmail("test@test.com");
user.setAttributes(Collections.singletonMap("origin", Arrays.asList("demo")));
final RealmResource realmResource = keycloak.realm(realm);
final UsersResource userResource = realmResource.users();
final Response response = userResource.create(user);
最后一行是給我 403 Forbidden。
我認為 403 因為您沒有“管理用戶”角色。 在 realm 中,從“領域管理”客戶端添加到您的用戶。
我們創建了一個 service-account 用戶,只是為了通過 uuid 查詢用戶。 這三個文件以及 application.properties 中的屬性就是這樣做的。 更新代碼並嘗試您想要的
@EnableOAuth2Client
@Configuration
public class KeycloakConfiguration {
// token-service-uri=https://keycloak.internal/auth/realms/some-realm/protocol/openid-connect/token
// admin-query.client-id=client
// admin-query.username=service-account
// admin-query.password=password
// admin-query.admin-base-url=https://keycloak.internal/auth/admin/realms/realm
@Value("${token-service-uri}")
private String tokenServiceUri;
@Value("${admin-query.client-id}")
private String clientId;
@Value("${keycloak.credentials.secret}")
private String clientSecret;
@Value("${admin-query.username}")
private String username;
@Value("${admin-query.password}")
private String password;
private final String grantType = "password";
@Bean
public OAuth2ProtectedResourceDetails cryptoKeycloakResourceDetails() {
ResourceOwnerPasswordResourceDetails details = new ResourceOwnerPasswordResourceDetails();
details.setAccessTokenUri(tokenServiceUri);
details.setClientId(clientId);
details.setClientSecret(clientSecret);
details.setGrantType(grantType);
details.setUsername(username);
details.setPassword(password);
return details;
}
@Bean
public OAuth2RestTemplate cryptoKeycloakRestTemplate(OAuth2ClientContext clientContext) throws Exception {
// build template with custom SSL TrustStrategy
TrustStrategy acceptingTrustStrategy = (X509Certificate[] chain, String authType) -> true;
SSLContext sslContext = org.apache.http.ssl.SSLContexts.custom()
.loadTrustMaterial(null, acceptingTrustStrategy)
.build();
SSLConnectionSocketFactory csf = new SSLConnectionSocketFactory(sslContext);
CloseableHttpClient httpClient = HttpClients.custom()
.setSSLSocketFactory(csf)
.build();
HttpComponentsClientHttpRequestFactory requestFactory = new HttpComponentsClientHttpRequestFactory();
requestFactory.setHttpClient(httpClient);
AuthorizationCodeAccessTokenProvider authCodeAccessTokenProvider = new AuthorizationCodeAccessTokenProvider();
authCodeAccessTokenProvider.setRequestFactory(requestFactory);
ImplicitAccessTokenProvider implicitAccessTokenProvider = new ImplicitAccessTokenProvider();
implicitAccessTokenProvider.setRequestFactory(requestFactory);
ResourceOwnerPasswordAccessTokenProvider resourceOwnerTokenProvider = new ResourceOwnerPasswordAccessTokenProvider();
resourceOwnerTokenProvider.setRequestFactory(requestFactory);
ClientCredentialsAccessTokenProvider clientCredentialsTokenProvider = new ClientCredentialsAccessTokenProvider();
AccessTokenProvider accessTokenProvider = new AccessTokenProviderChain(
Arrays.<AccessTokenProvider> asList(authCodeAccessTokenProvider, implicitAccessTokenProvider,
resourceOwnerTokenProvider, clientCredentialsTokenProvider));
AccessTokenRequest request = new DefaultAccessTokenRequest();
OAuth2RestTemplate template = new OAuth2RestTemplate(cryptoKeycloakResourceDetails(), new DefaultOAuth2ClientContext(request));
template.setAccessTokenProvider(accessTokenProvider);
template.setRequestFactory(requestFactory);
return template;
}
}
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.security.oauth2.client.OAuth2RestOperations;
import org.springframework.stereotype.Service;
import org.springframework.web.client.HttpClientErrorException;
import java.util.HashMap;
import java.util.Map;
@Service
@Slf4j
public class KeycloakAdminQueryService {
@Autowired
private OAuth2RestOperations cryptoKeycloakRestTemplate;
@Value("${admin-query.admin-base-url}")
private String keycloakAdminQueryBaseUrl;
public KeycloakUserProfile getUserProfile(final String userId)
throws UserProfileNotFoundException {
Map<String,Object> uriVars = new HashMap<String,Object>();
uriVars.put("userId", userId);
try {
ResponseEntity<KeycloakUserProfile> response = cryptoKeycloakRestTemplate.getForEntity(
keycloakAdminQueryBaseUrl + "/users/{userId}", KeycloakUserProfile.class, uriVars);
return response.getBody();
} catch (HttpClientErrorException e) {
if (e.getStatusCode() == HttpStatus.NOT_FOUND) {
throw new UserProfileNotFoundException("Keycloak could not find user: " + userId, e);
} else {
throw e;
}
}
}
}
@Data
public class KeycloakUserProfile {
private String id;
private String createdTimestamp;
private String username;
private boolean enabled;
private boolean totp;
private boolean emailVerified;
private String firstName;
private String lastName;
private String email;
private List<String> disableableCredentialTypes;
private List<String> requiredActions;
private int notBefore;
private Access access;
@Data
public static class Access {
private boolean manageGroupMembership;
private boolean view;
private boolean mapRoles;
private boolean impersonate;
private boolean manage;
}
}
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.