Hello,
I’m trying to add endpoint for listing all active sessions of a user that should be accessed only by a given user.
NOTE: Using keycloak version 16.1.1
I’m stuck on authentication.
This is the code I’m using for development purposes to generate user token:
@GET
@Path("getUserToken")
@Produces(MediaType.APPLICATION_JSON)
public AccessTokenResponse helloAnonymous() {
//String realmName = session.getContext().getRealm().getName();
KeycloakSession tx = session.getKeycloakSessionFactory().create();
UserModel user = session.userLocalStorage().getUsers(session.getContext().getRealm()).stream().filter(u -> u.getUsername().equals("testuser")).findFirst().get();
AccessTokenResponse accessTokenResponse = new AccessTokenResponse();
AccessToken token = new AccessToken();
token.subject(user.getId());
token.issuer(session.getContext().getUri().getBaseUri()+ session.getContext().getRealm().getName());
token.issuedNow();
token.expiration((int) (token.getIat() + 60L)); //Lifetime of 60 seconds
KeyWrapper key = session.keys().getActiveKey(session.getContext().getRealm(), KeyUse.SIG, "RS256");
accessTokenResponse.setToken(new JWSBuilder().kid(key.getKid()).type("JWT").jsonContent(token).sign(new AsymmetricSignatureSignerContext(key)));
return accessTokenResponse;
}
This part works ok, and as far as I can tell I’m getting what I’ve asked for, the access/login token of user testuser
curl http://localhost:9081/auth/realms/master/session-manager/getUserToken | jq
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 697 100 697 0 0 45017 0 --:--:-- --:--:-- --:--:-- 46466
{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJBNXZlUHBiZ3pTNDN4WGEwQjNwY21EUjU4cThCZjMybzZWQ1lRbjZjN0tJIn0.eyJleHAiOjE2NTgyMzYzNDMsImlhdCI6MTY1ODIzNjI4MywiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo5MDgxL2F1dGgvbWFzdGVyIiwic3ViIjoiYWM5Mjc4M2UtOTExYi00MTY5LWExOGMtZGRkYjk0MTMyMDI2In0.VksIEzQxP7P4ahd-vZMgpKQgDMT84_lnRYkYrq8t3yNuRsI800Wzk0oeKmWckTlUGDfSxrR-DoI6VJYemIa2vY2-KE_lagL9XYBgERDKVBZOSTgP7uAPSWn-HWaDA0eDfUq5PBnSHrZBG4rcdZ4FOdjoAtptOe4COQ6WdJPlDP0SWbdNtSBl4YCDjLVqtolLZOaIDOdfSQ4PYZ4fncmBxs9gflY2h8bA8d5Mv80iqP0nOZoaSZr2WIqWWD8odcNS7_rl6HNSJNsNJO49MUvu2NSneIl3cWebxnXbPOZZtFS8-m6UtS3U-LfS1nsCESwwixDCeiNRWLoqoewF3HerGg",
"expires_in": 0,
"refresh_expires_in": 0,
"not-before-policy": 0
}
Now when I try using it:
curl --location --request GET http://localhost:9081/auth/realms/master/session-manager/getSecuredSessionList \
-H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJBNXZlUHBiZ3pTNDN4WGEwQjNwY21EUjU4cThCZjMybzZWQ1lRbjZjN0tJIn0.eyJleHAiOjE2NTgyMzYzNDMsImlhdCI6MTY1ODIzNjI4MywiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo5MDgxL2F1dGgvbWFzdGVyIiwic3ViIjoiYWM5Mjc4M2UtOTExYi00MTY5LWExOGMtZGRkYjk0MTMyMDI2In0.VksIEzQxP7P4ahd-vZMgpKQgDMT84_lnRYkYrq8t3yNuRsI800Wzk0oeKmWckTlUGDfSxrR-DoI6VJYemIa2vY2-KE_lagL9XYBgERDKVBZOSTgP7uAPSWn-HWaDA0eDfUq5PBnSHrZBG4rcdZ4FOdjoAtptOe4COQ6WdJPlDP0SWbdNtSBl4YCDjLVqtolLZOaIDOdfSQ4PYZ4fncmBxs9gflY2h8bA8d5Mv80iqP0nOZoaSZr2WIqWWD8odcNS7_rl6HNSJNsNJO49MUvu2NSneIl3cWebxnXbPOZZtFS8-m6UtS3U-LfS1nsCESwwixDCeiNRWLoqoewF3HerGg" | jq
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 33 100 33 0 0 653 0 --:--:-- --:--:-- --:--:-- 660
{
"error": "HTTP 401 Unauthorized"
}
This 401 originates from this method (is located in my extension I’m working on):
private AuthenticationManager.AuthResult checkAuth() {
AuthenticationManager.AuthResult auth = new AppAuthManager.BearerTokenAuthenticator(session).authenticate();
if (auth == null) {
throw new NotAuthorizedException("Bearer");
} else if (auth.getToken().getIssuedFor() == null || !auth.getToken().getIssuedFor().equals("admin-cli")) {
throw new ForbiddenException("Token is not properly issued for admin-cli");
}
return auth;
}
This means that auth is null for some reason, why?