I’m trying to create a user with a temporary password on Red Hat Single Sign On 7.3 (Keycloak behind the scene) through Java API.
Locally (with standard Keycloak, jboss/keycloak:9.0.0 Docker image), it is working fine. But when deploying the same on Openshift 4.4 project, I get a 400 error from Red Hat SSO (7.3). Unfortunately, I have not so much in the log and I don’t have possibility to configure anything on the Red Hat SSO server for it to be more verbose.
On the Red Hat SSO server, a dedicated “keycloak-admin” client has been created in the application Realm. Client is enabled with only “Service Accounts Enabled” option to ON. In “Service Account Roles”, all roles from “realm-management” have been assigned and are effective.
I’m using this Maven dependency to deal with Keycloak Java API:
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-admin-client</artifactId>
<version>9.0.0</version>
</dependency>
Here is how I create connection with Keycloak through Java code:
Keycloak keycloak = KeycloakBuilder.builder()
.serverUrl(keycloakProperties.getHost())
.grantType(OAuth2Constants.CLIENT_CREDENTIALS)
.realm("app_realm")
.clientId("keycloak-admin")
.clientSecret(xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx)
.resteasyClient(
new ResteasyClientBuilder()
.connectionPoolSize(10).build()
).build();
keycloak.tokenManager().getAccessToken();
RealmResource realmResource = keycloak.realm("app_realm");
Client secret set is matching with secret in the “keycloak-admin” client in “Credentials” part.
Here is how I create user through Java code :
final UserRepresentation user = new UserRepresentation();
user.setEnabled(true);
user.setEmailVerified(true);
user.setUsername(username);
user.setFirstName(firstName);
user.setLastName(lastName);
user.setEmail(email);
try {
final Response response = realmResource.users().create(user);
final String userId = CreatedResponseUtil.getCreatedId(response);
} catch (final Exception exception) {
log.error("Exception when createKeycloakUser",exception);
}
This part is working fine locally and also in Red Hat SSO. User is created and can be retrieved on Keycloak.
Then I try to reset password like this:
final UserResource userResource = realmResource.users().get(userId );
final CredentialRepresentation passwordCred = new CredentialRepresentation();
passwordCred.setTemporary(true);
passwordCred.setType(CredentialRepresentation.PASSWORD);
passwordCred.setValue(generateRandomPassword());
userResource.resetPassword(passwordCred);
generateRandomPassword is a method generating a random password which matches with password policies defined on local Keycloak and on Red Hat SSO (Authentication/Password Policy).
This last part of the code is working fine locally but I get the 400 error on Red Hat SSO.
For you to know, I also try to create user with password directly but behavior is exactly the same. I also make a try with a connection to Keycloak using “admin-cli” client and admin account but issue remains.
Thanks in advance for all help or advices you could provide ! I’m stuck on that and have no more idea for now…
For your information, same question was raised on stackoverflow here: https://stackoverflow.com/questions/65463509/error-400-when-trying-to-reset-user-password-on-red-hat-sso-7-3-keycloak-with