[quote = “Robinyo, post: 6, topic: 1457”]
Which version of Java are you using?
[/ quote]
I’m using 11 version of java and Spring Boot, WebClient for requests (currently for simplification I’m using keycliak-admin-client).
I think we a little did not understand each other.
May be I have wrong undersandig of some details.
For example I have 3 instances: keycloak - Auth Service, account-service, ui (with associated client ui-client to auth)
Scenario:
I’m a user, who wants to login and change my email, for example.
- I use my user account link.
- Happens redirect to auth page and I go though authorization code flow with result: ui have user token with authorities by ui-client.
- Then it redirects me to my user account view (not keycloak account resource).
Here happens next:
UI requests user info from account-service by some GET request with token.
Account service check that user is authenticated, check “ui-client” scope and may be check it’s user role.
Then receives from self database or do request to keycloak userinfo endpoint for some user profile info like email.
- I edit my profile, for example email and apply changes.
Here take place flow similar to 3ed point. Except there is no endpoint with user access to update user info by user itself. I.e. i send post request to account service - it change some profile data in self database and need to do such thing with keycloak user data, wich using in authorization flow.
Suppose I’m using admin client with default admin to update user info.
To do this I need some configuration in account service.
Something like this:
@Bean
Keycloak Keycloak () {
return Keycloak.getInstance (
"http://host: port/auth",
"master",
"admin",
"somePassword",
"admin-cli"
);
}
And write some code to process post request in controller
@Autowired
private Keycloak keycloak;
@PostMapping ("/ user")
public ResponseEntity <Void> updateUser (@AuthenticationPrincipal Jwt jwt, @RequestBody User user) {
if (jwt == null)
throw new ResponseStatusException (HttpStatus.BAD_REQUEST);
UsersResource usersResource = keycloak.realm ("someRealm"). Users ();
UserResource userResource = usersResource.get (jwt.getClaim ("sub"));
UserRepresentation userRepresentation = userResource.toRepresentation ();
if (user.getEmail ()! = null) {
userRepresentation.setEmail (user.getEmail ());
}
userResource.update (userRepresentation);
// and some actions to database here etc
}
Of Course response will contain some new user data etc.
It’s all works fine for me currently.
Account microservice will be built into container and register with some discovery service.
But if some not good man do clone of server hard drive - it can obtain containers, and confidential info from it (from code as mentioned in my example).
And first what I thought it not store any confidential info (and I thought it easiest way; store only ui-client secret, but it does not grant many rights without user credentials) - because all permissions would be granted by authorization code flow.
It’s good advice about docker, I’m not very familiar with it - and if there is some way to hide admin data i’ll become calm ;). I’ll read about it, thanks.