Invoking KeyCloak's Admin REST API using client secrets
The example using CURL at https://keycloak.gitbooks.io/server-developer-guide/content/v/2.2/topics/admin-rest-api.html works for me when running KeyCloak from its Docker image.
To move towards the final target shape of my application, I want to authenticate using a client ID and secret rather than username+password.
However, when I switch the admin-cli client over to 'service accounts enabled', access type confidential, and obtain a token with the following call:
curl -d "client_id=admin-cli" -d "client_id=admin-cli" -d "client_secret=xxxx" -d "grant_type=client_credentials" "http://localhost:8080/auth/realms/master/protocol/openid-connect/token"
That token results in a 403 error from calls to the admin REST API. Have I done something wrong?
Answer
Here's how I implemented client_credentials on admin-cli:
- enable 'Service Accounts' as you say
- set 'Access Types' to confidential - this enables it for use of client_secret and assigns the secret (Credentials tab).
- on 'Service Accounts' tab, grant the Service Account the realm-admin role from the realm-management client role
Since I was doing this for the admin-cli client under a specific realm, you can change the realm from 'master' to whatever your realm is, in my case EEC-RLM:
http://192.168.101.139:8080/auth/realms/EEC-RLM/protocol/openid-connect/token
For completeness, when you call the admin uri you'll set the Authorization header to 'Bearer access_token' where access_token is the access_token returned from the /token uri, above. In my case, I call:
http://192.168.101.139:8080/auth/admin/realms/EEC-RLM/users
The documentation's not necessarily particularly clear when it relates to the actual URLs to call: I initially thought that these operations were always on the master realm for instance, which is not the case.