Keycloak API to create users returns a 403 Forbidden
Experimenting with Keycloak as an Identity Provider. I'm running it by using the ./standalone.sh script.
So, I obtain the access_token like this:
curl --request POST \
--url http://localhost:8080/auth/realms/master/protocol/openid-connect/token \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data grant_type=client_credentials \
--data client_id=admin-cli \
--data client_secret=<the-client-secret-under-master-realm-for-admin-cli-client>
Response:
{
"access_token": "the-access-token",
"expires_in": 60,
"refresh_expires_in": 0,
"token_type": "Bearer",
"not-before-policy": 0,
"scope": "profile email"
}
And then quickly, under my test-realm I try to create a user as follows:
curl --request POST \
--url http://localhost:8080/auth/admin/realms/test-realm/users \
--header 'Authorization: Bearer the-access-token' \
--header 'Content-Type: application/json' \
--data '{
"firstName": "Sergey",
"lastName": "Kargopolov",
"email": "[email protected]",
"enabled": "true",
"username": "app-user"
}'
And I get hit with a 403:
< HTTP/1.1 403 Forbidden
< X-XSS-Protection: 1; mode=block
< X-Frame-Options: SAMEORIGIN
< Referrer-Policy: no-referrer
< Date: Thu, 28 Jan 2021 23:43:57 GMT
< Connection: keep-alive
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< X-Content-Type-Options: nosniff
< Content-Type: application/json
< Content-Length: 25
Is there something I'm missing? I'm following this tutorial and I'm doing everything exactly as described!
Edit: I tried the Password Grant way to obtain the Bearer Token and that worked, but NOT the client secret way. I obviously prefer the client secret way (which is where I'm stuck currently). What could be the issue here?
To create the user using the Keycloak Rest API, one just need to request from the admin-cli client a token on behalf of the admin user by providing its name and password, for instance as follows:
TOKEN=$(curl -k -sS -d "client_id=admin-cli" \
-d "username=$ADMIN_NAME" \
-d "password=$ADMIN_PASSWORD" \
-d "grant_type=password" \
http://$KEYCLOAK_IP/auth/realms/master/protocol/openid-connect/token)
from the $TOKEN object extract the access token (let us named $ACCESS_TOKEN).
And then create the user as follows:
curl -k -sS -X POST https://$KEYCLOAK_IP/auth/admin/realms/$REALM_NAME/users \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $ACCESS_TOKEN" \
-d "$USER_JSON_DATA"
$USER_JSON_DATA will be the json data representation of the user to be created. There is no need to add the role admin to the master admin deployed with Keycloak by default.
If setup normally, you would just need to know (as I already described) the admin's name and password, which is configured in the initial setup anyway.
If you click on the admin user > roles, you would see the following:
The admin user, has already the admin role.
Edit: I tried the Password Grant way to obtain the Bearer Token and that worked, but NOT the client secret way. I obviously prefer the client secret way (which is where I'm stuck currently). What could be the issue here?
Now if you change the admin_cli configuration exactly as you did then you need to add to the Service-account-admin-cli user the role admin.
Now the problem is that Service-account-admin-cli user is hidden in the User section. Nonetheless, you can do the following:
- Request again the admin token with your setup;
- Go to Master Realm > Clients > admin-cli > Session > Click on [Show Session]:
- click on the user
service-account-admin-cli; - Go to Role Mappings;
- Assign the
adminrole;
Since the service-account-admin-cli user has now the admin role, a token request on that user's behalf will contain the necessary privileges to create the users.
If the aforementioned does not work, then do the following go to:
- Realm Master;
- Clients > admin-cli;
- Go to Mappers;
- Click on [Create];
- As Mapper Type select "Hardcoded Role";
- Click on Select Role and selection "admin";
- Click [Save].
- StackOverflow with Keycloak as login provider returns empty email address
- Redirect from java app in docker container to the keyCloak
- How can I know the Keycloak version?
- Export users and roles from Keycloak
- Keycloak move from 23.0 to 24.0: Account is not fully set up [invalid_grant]
- Using a Database as Provider for Keycloak Application Realm
- Keycloak Custom Registration Flow Fails with "KC-SERVICES0013: Failed authentication: java.lang.NullPointerException" Error
- Role based authorization using Keycloak and .NET core
- Globally disable https keycloak
- Use Keycloak Spring Adapter with Spring Boot 3
- KeyCloak Login leads to infinite loop
- How can I get userId after call create user api in keycloak?
- How to add custom metrics to Keycloak 22 with Quarkus and MicroMeter
- Keycloak - Assign a client scope to user with a specific role
- How to save the keycloak data when running inside docker container?
- Keycloak error on console " violating Content Security Policy directive: "frame-ancestors 'self'"
- angular-oauth2-oidc with Keycloak Auth Code Flow Access Token Request is not sent
- Getting Keycloak's public key
- Keycloak with AzureAD how to change the IDP user ID / IDP Links
- Logout from next-auth with keycloak provider not works
- RESTEASY003145: Unable to find a MessageBodyReader of content-type application/json and type class org.keycloak.representations.AccessTokenResponse
- Add protocol-mapper to keycloak using kcadm.sh
- Provide "Forgot Password" feature in Keycloak to certain users only
- Keycloak lost admin password
- Keycloak: How to enable unmanagedAttributePolicy over REST API?
- Mocking a Keycloak token for testing a Spring controller
- Vaadin 23 Home page with anonymous access
- keycloak and nodejs (nestjs), wrong role mismatch
- Keycloak Admin REST-API Synchronize federation mapper
- Keycloak Token exchange Error - Client is not within the token audience