Keycloak admin java client - the problem with getting token as client.
30 views
Skip to first unread message
Yuriy Petrov
Apr 28, 2020, 2:25:06 PM4/28/20
to Keycloak User
Hello all,
the received at1 object has token null.
then the token object at0 has all goodies in it.
I use Keycloak 6.0.1 and ran into the issue with tokens.
If I run the code
Keycloak kc = KeycloakBuilder.builder() //
.serverUrl(valid-server-url) //
.realm(valid-realm) //
.grantType(OAuth2Constants.CLIENT_CREDENTIALS) //
.clientId(valid-client) //
.clientSecret(valid-secret) //
.resteasyClient(new ResteasyClientBuilder().connectionPoolSize(10).build())
.build();
AccessTokenResponse at1 = kc.tokenManager().grantToken();
the received at1 object has token null.
But if I connect to keycloak as user (not as client as shown above) and try to get token
Keycloak kc = KeycloakBuilder.builder() //
.serverUrl(valid-server-url) //
.realm(valid-realm) //
.grantType(OAuth2Constants.PASSWORD) //
.username(valid-username) //
.password(valid-password) //
.clientId(valid-client) //
.clientSecret(valid-secret) //
.resteasyClient(new ResteasyClientBuilder().connectionPoolSize(10).build())
.build();
AccessTokenResponse at0 = kc2.tokenManager().grantToken();
then the token object at0 has all goodies in it.
In both snippets url, realm, client and secret are the same.
The thing is that I _must_ connect to Keycloak as client.
Can anybody tell me what I'm doing wrong in the first snippet?
Thanks,
Yuriy
Łukasz Dywicki
Apr 28, 2020, 6:54:47 PM4/28/20
to Keycloak User
If I'm not mistaken then client credentials flow must be explicitly
enabled (Service Accounts Enabled).
https://www.keycloak.org/docs/6.0/server_admin/#_service_accounts
Best,
Łukasz
--
Code-House
http://code-house.org/
On 28.04.2020 20:25, Yuriy Petrov wrote:
> Hello all,
>
> I use Keycloak 6.0.1 and ran into the issue with tokens.
>
> If I run the code
> |
> Keycloakkc =KeycloakBuilder.builder()//
> .serverUrl(/valid-server-url/)//
> .realm(/valid-realm/)//
> .grantType(OAuth2Constants.CLIENT_CREDENTIALS)//
> .clientId(/valid-client/)//
> .clientSecret(/valid-secret/)//
> .resteasyClient(newResteasyClientBuilder().connectionPoolSize(10).build())
> .build();
> AccessTokenResponseat1 =kc.tokenManager().grantToken();
> .realm(/valid-realm/)//
> .grantType(OAuth2Constants.PASSWORD)//
> .username(/valid-username/)//
> .password(/valid-password/)//
> .clientId(/valid-client/)//
> .clientSecret(/valid-secret/)//
> .resteasyClient(newResteasyClientBuilder().connectionPoolSize(10).build())
> .build();
> AccessTokenResponseat0 =kc2.tokenManager().grantToken();
> You received this message because you are subscribed to the Google
> Groups "Keycloak User" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to keycloak-use...@googlegroups.com
> <mailto:keycloak-use...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/keycloak-user/60903ec0-ae46-4137-afad-7e2002c95095%40googlegroups.com
> <https://groups.google.com/d/msgid/keycloak-user/60903ec0-ae46-4137-afad-7e2002c95095%40googlegroups.com?utm_medium=email&utm_source=footer>.
enabled (Service Accounts Enabled).
https://www.keycloak.org/docs/6.0/server_admin/#_service_accounts
Best,
Łukasz
--
Code-House
http://code-house.org/
On 28.04.2020 20:25, Yuriy Petrov wrote:
> Hello all,
>
> I use Keycloak 6.0.1 and ran into the issue with tokens.
>
> If I run the code
> |
> Keycloakkc =KeycloakBuilder.builder()//
> .realm(/valid-realm/)//
> .grantType(OAuth2Constants.CLIENT_CREDENTIALS)//
> .clientId(/valid-client/)//
> .clientSecret(/valid-secret/)//
> .resteasyClient(newResteasyClientBuilder().connectionPoolSize(10).build())
> .build();
> AccessTokenResponseat1 =kc.tokenManager().grantToken();
> |
>
> the received at1 object has token null.
>
>
> But if I connect to keycloak as user (not as client as shown above) and
> try to get token
> |
> Keycloakkc =KeycloakBuilder.builder()//
> .serverUrl(/valid-server-url/)//
>
> the received at1 object has token null.
>
>
> But if I connect to keycloak as user (not as client as shown above) and
> try to get token
> |
> Keycloakkc =KeycloakBuilder.builder()//
> .realm(/valid-realm/)//
> .grantType(OAuth2Constants.PASSWORD)//
> .username(/valid-username/)//
> .password(/valid-password/)//
> .clientId(/valid-client/)//
> .clientSecret(/valid-secret/)//
> .resteasyClient(newResteasyClientBuilder().connectionPoolSize(10).build())
> .build();
> AccessTokenResponseat0 =kc2.tokenManager().grantToken();
> |
>
> then the token object at0 has all goodies in it.
>
> In both snippets url, realm, client and secret are the same.
>
> The thing is that I _must_ connect to Keycloak as client.
>
> Can anybody tell me what I'm doing wrong in the first snippet?
>
> Thanks,
> Yuriy
>
>
>
> --
>
> then the token object at0 has all goodies in it.
>
> In both snippets url, realm, client and secret are the same.
>
> The thing is that I _must_ connect to Keycloak as client.
>
> Can anybody tell me what I'm doing wrong in the first snippet?
>
> Thanks,
> Yuriy
>
>
>
> You received this message because you are subscribed to the Google
> Groups "Keycloak User" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to keycloak-use...@googlegroups.com
> <mailto:keycloak-use...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/keycloak-user/60903ec0-ae46-4137-afad-7e2002c95095%40googlegroups.com
> <https://groups.google.com/d/msgid/keycloak-user/60903ec0-ae46-4137-afad-7e2002c95095%40googlegroups.com?utm_medium=email&utm_source=footer>.
Yuriy Petrov
Apr 28, 2020, 7:14:06 PM4/28/20
to Keycloak User
They are. I can obtain access token as client using Postman and the same set of parameters.
Moreover, I ran my code in eclipse debugger and clearly saw that Keycloak sends meaningful response json. But I've failed to localize where the data are lost. Some extractor just doesn't read the response entity, but why?...
Regards,
Yuriy
On Tuesday, April 28, 2020 at 4:54:47 PM UTC-6, Łukasz Dywicki wrote:
If I'm not mistaken then client credentials flow must be explicitly
enabled (Service Accounts Enabled).
https://www.keycloak.org/docs/6.0/server_admin/#_service_accounts
Best,
Łukasz
--
Code-House
http://code-house.org/
...
Martin Kanis
May 4, 2020, 9:34:23 AM5/4/20
to Yuriy Petrov, Keycloak User
Hi,
If you are able to obtain an access token as a client using the Podman but not using the keycloak-admin-client (with the same parameters), then this sounds like missing functionality or bug in keycloak-admin-client.
I'm not able to tell more without a deeper look into keycloak-admin-client. Unless someone else knows more I recommend to create a Jira with steps to reproduce.
Thanks,
Martin
--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/149c21b2-8597-4800-8517-86312de7fa6b%40googlegroups.com.
Yuriy Petrov
May 4, 2020, 1:43:08 PM5/4/20
to Keycloak User
I don't think it's worth it. I've tried my code with 9.0.0 (we use 6.0.1) - the problem is gone. I'll try to convince the team to upgrade Keycloak in our project.
On Monday, May 4, 2020 at 7:34:23 AM UTC-6, Martin Kanis wrote:
Hi,If you are able to obtain an access token as a client using the Podman but not using the keycloak-admin-client (with the same parameters), then this sounds like missing functionality or bug in keycloak-admin-client.I'm not able to tell more without a deeper look into keycloak-admin-client. Unless someone else knows more I recommend to create a Jira with steps to reproduce.Thanks,Martin
...
Reply all
Reply to author
Forward
0 new messages