Interrogating Keycloak by code

Tony · February 14, 2020, 6:21am

I followed this and logged in my “app client”
https://developers.redhat.com/blog/2020/01/29/api-login-and-jwt-token-generation-using-keycloak/

I now have an access_token from Keycloak which I hope I can use to progress the Use Case:
to obtain a list of users.
select a user from the list and remove one role and add another

Please can you advise:

is there a better URL to “just” get a Token I can use… as this call is a login for the user; but I just need a token for the “app-client”?
what do I need to set up in the “Keycloak UI” for the “app-client” user to allow me to access a list of users (e.g. I have set “Full Scope Allowed” for JEDI/Superuser access to the Realm?)?
What is the URL to use to find all the users?
Once I have selected a user; what is the URL to then remove the role?

what is the URL to then add the new role?

 public JsonObject getToken() throws IOException {

 String keycloakServerURL = environmentService.getEnvironmentVariable(EnvironmentService.KEYCLOAK_SERVER);

 URL url = new URL(keycloakServerURL + "/auth/realms/XXXX/protocol/openid-connect/token");
 HttpURLConnection con = (HttpURLConnection) url.openConnection();
 con.setRequestMethod("POST");
 con.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");

 /* Payload support */
 con.setDoOutput(true);
 DataOutputStream out = new DataOutputStream(con.getOutputStream());
 out.writeBytes(
 		"client_id=xxxxxx-app-client&grant_type=password&client_secret=xxxxxx-xxxxxxx-xxxxx-xxxxxxxx&scope=openid&username=bob@xxxxxx.xx&password=password");
 out.flush();
 out.close();

 int status = con.getResponseCode();
 BufferedReader in = new BufferedReader(new InputStreamReader(con.getInputStream()));

 JsonReader jsonReader = Json.createReader(in);
 JsonObject responesAsJson = jsonReader.readObject();

 in.close();
 con.disconnect();
 
 // Pretty Print of String
 ObjectMapper objectMapper = new ObjectMapper();
 String jSonstring = objectMapper.writerWithDefaultPrettyPrinter().writeValueAsString(responesAsJson);
 logger.info("Response: " + jSonstring);
 // Pretty Print of String

 logger.info("Response status: " + status);

 String contentString = responesAsJson.toString();

 logger.info("Response: " + contentString);
 return responesAsJson;

 }

getting details from the Token:

URL url = new URL(keycloakServerURL + "/auth/realms/XXXXXXX/protocol/openid-connect/token/introspect");

out.writeBytes("client_id=txxxxxx-app-client"
			+ "&client_secret=fe7e0c2e-9a18-48a8-81b0-3a560543f75c"
			+ "&token="+accessTokenFromUserToken);

Robinyo · February 14, 2020, 7:26pm

The Client Credentials Grant allows an application to request an Access Token using its Client Id and Client Secret. It is used for non interactive applications (a CLI, a daemon, or a Service running on your backend) where the token is issued to the application itself, instead of an end user.

Ref:

Keycloak Admin REST API

Robinyo · February 15, 2020, 9:39pm

See: Server Administration Guide - Client Credentials Grant

It’s a Bearer token so it goes in the HTTTP header:

const authReq = req.clone({ setHeaders: { Authorization: 'Bearer ' + accessToken } });

Topic		Replies	Views
Create new user with Java API Securing applications	3	4504	August 27, 2020
Returning client roles in realm for single client Getting advice	6	1899	March 6, 2023
How to map user roles to activity Getting advice	0	475	July 9, 2020
Creating a client-level role using the API Getting advice	1	566	March 26, 2022
API to check if user token has roles for a particular resource Securing applications	1	822	July 19, 2020

Interrogating Keycloak by code

Related Topics