Enable account-api in docker

domdeger · March 4, 2022, 2:34pm

Hello together,

i’d like to enable and use the account-api feature of keycloak but I have problems to enable it. If I try and GET http://localhost:8080/auth/realms/master/account the following error is returned:

{
    "error": "RESTEASY003210: Could not find resource for full path: http://localhost:8080/auth/realms/master/account"
}

I am using following docker container to run keycloak.

keycloak:
    image: 'quay.io/keycloak/keycloak:17.0.0'
    command: start-dev --hostname-strict false
    links:
      - "db:db"
    environment:
      KC_DB: 'postgres'
      KC_FEATURES: 'account-api'
      KC_FEATURES_ACCOUNT_API: 'enabled'
      #KC_DB_SCHEMA: 'keycloak'

Do you have any idea what I am missing. Is there a way to list all enabled features?

Best regards,
Dominik

dasniko · March 4, 2022, 3:00pm

Most likely Using curl or POSTMAN results in Could not find resource for full path - #2 by dasniko

domdeger · March 7, 2022, 7:32am

Thank you Niko you were right. Is there any documentation about the account api? I want to change the current users password via a rest api call form my own application. The only thing I found was this blog post: Using the Keycloak Accounts Management API | Marcus Povey (marcus-povey.co.uk)

But the post on account/credentials/password always runs into a 405.

dasniko · March 7, 2022, 7:51am

Modifying the credentials via REST API is not supported due to security reasons.
The user is only allowed to change its credentials itself using the secure IdP (Keycloak) UI. Otherwise you are creating a man-in-the-middle scenario, which is most likely not what you want.
Generally, users should only enter their credentials on the secure server UI - the IdP, Keycloak.

domdeger · March 7, 2022, 7:59am

I expected this
So I am implementing keycloak for an legacy application which authenticates via password grant. It has already a user profile page where the user should be able to change her/his password. Also the users should be forced to change the password after first login. Sounds like we cannot use password grant at all if we want to achieve this, right?

dasniko · March 7, 2022, 8:02am

ROPC (aka “Direct Access Grant” or “Pasword Grant”) ist deprecated and MUST NOT be used, according to draft-ietf-oauth-security-topics-18
It’s highly insecure.

Using new systems and tools always bring the chance (or need) to change your environment to a more secure one. Never think in terms of “it should be exactly like it is/was”. If so, you don’t have the need to change anything.

domdeger · March 7, 2022, 8:13am

Thank you for the clarification I’ll discuss this with my stakeholders.

linlinwen · May 26, 2022, 3:22pm

Hi dasniko，I want to get linked-accouts by postman, but return with the same error. but in IdP Keycloak UI it is ok, must we have to access it in IdP (Keycloak) UI?
the url is: http://localhost:8080/realms/smsb/account/linked-accounts, and I saw a test case using http://localhost:8080/auth/realms/smsb/account/linked-accounts.

Topic		Replies	Views
Endpoint account/credentials/password not working Getting advice	1	1201	February 11, 2021
Change user password API Getting advice	3	566	July 12, 2021
Updating a user via Rest API Getting advice	3	1405	May 4, 2022
401 Unauthorized going into v2 Account Console Configuring the server account-console	0	604	January 3, 2023
Register user using Rest Api in keycloak Getting advice	9	19093	October 25, 2022

Enable account-api in docker

Related Topics