Interrogating Keycloak by code

I followed this and logged in my “app client”

I now have an access_token from Keycloak which I hope I can use to progress the Use Case:
to obtain a list of users.
select a user from the list and remove one role and add another

Please can you advise:

  1. is there a better URL to “just” get a Token I can use… as this call is a login for the user; but I just need a token for the “app-client”?

  2. what do I need to set up in the “Keycloak UI” for the “app-client” user to allow me to access a list of users (e.g. I have set “Full Scope Allowed” for JEDI/Superuser access to the Realm?)?

  3. What is the URL to use to find all the users?

  4. Once I have selected a user; what is the URL to then remove the role?

  5. what is the URL to then add the new role?

     public JsonObject getToken() throws IOException {
     String keycloakServerURL = environmentService.getEnvironmentVariable(EnvironmentService.KEYCLOAK_SERVER);
     URL url = new URL(keycloakServerURL + "/auth/realms/XXXX/protocol/openid-connect/token");
     HttpURLConnection con = (HttpURLConnection) url.openConnection();
     con.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");
     /* Payload support */
     DataOutputStream out = new DataOutputStream(con.getOutputStream());
     int status = con.getResponseCode();
     BufferedReader in = new BufferedReader(new InputStreamReader(con.getInputStream()));
     JsonReader jsonReader = Json.createReader(in);
     JsonObject responesAsJson = jsonReader.readObject();
     // Pretty Print of String
     ObjectMapper objectMapper = new ObjectMapper();
     String jSonstring = objectMapper.writerWithDefaultPrettyPrinter().writeValueAsString(responesAsJson);"Response: " + jSonstring);
     // Pretty Print of String
"Response status: " + status);
     String contentString = responesAsJson.toString();
"Response: " + contentString);
     return responesAsJson;

getting details from the Token:

URL url = new URL(keycloakServerURL + "/auth/realms/XXXXXXX/protocol/openid-connect/token/introspect");

			+ "&client_secret=fe7e0c2e-9a18-48a8-81b0-3a560543f75c"
			+ "&token="+accessTokenFromUserToken);

The Client Credentials Grant allows an application to request an Access Token using its Client Id and Client Secret. It is used for non interactive applications (a CLI, a daemon, or a Service running on your backend) where the token is issued to the application itself, instead of an end user.


See: Server Administration Guide - Client Credentials Grant

It’s a Bearer token so it goes in the HTTTP header:

const authReq = req.clone({ setHeaders: { Authorization: 'Bearer ' + accessToken } });