In this tutorial we want to setup and test the keycloak Rest API with curl. The agent role granted to a user should provide the neccassary roles to allow the Rest API access.
We should already have following setup:
- A new Realm named RBAC
- A realm client named app-client
- A realm user named testadmin with assigned role named agent
- A keycloak server running http://localhost:8280
About Realm Management
Each realm has a built-in client called realm-management. You can view this client by going to the Clients left menu item of your realm. This client defines client-level roles that specify permissions that can be granted to manage the realm.
- view-realm
- view-users
- view-clients
- ..
To allow a user or role to access the Keycloak APi we need to grant this permission either
- directly to specific user or
- use a composite role holding with this permssion
In this tutorial we use the latter one.
Initial Test
- Accessing Keycloak URL /auth/admin/realms/RBAC/users fails with HTTP 403 error
$ ./get-users-via-RBAC-app-client.sh testadmin *** Run curl test for user testadmin with secret: 0a32b2ad-7b58-4c5b-bffe-7d3673fe70a3 a Keylcloak URL: http://localhost:8280 CLIENT_ID: app-client REALM: RBAC .. * Connected to localhost (127.0.0.1) port 8280 (#0) > GET /auth/admin/realms/RBAC/users HTTP/1.1 > Host: localhost:8280 > User-Agent: curl/7.79.1 > Accept: */* > Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiS.. > * Mark bundle as not supporting multiuse < HTTP/1.1 403 Forbidden
Fix: Add view-users role from realm-management client role via Composite Role feature
- Note; You need to enable Composite Roles checkbox
Rerun Test
$ ./get-users-via-RBAC-app-client.sh
Connected to localhost (127.0.0.1) port 8280 (#0)
> GET /auth/admin/realms/RBAC/users HTTP/1.1
> Host: localhost:8280
> User-Agent: curl/7.79.1
> Accept: */*
> Authorization: Bearer eyJhbGciOiJSUzI1NiI
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Referrer-Policy: no-referrer
< X-Frame-Options: SAMEORIGIN
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< Cache-Control: no-cache
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Content-Type: application/json
< content-length: 1104
<
[{"id":"7b7b84e7-00c5-4921-a4ed-7ad0fe78ba99",...
Curl testscript get-users-via-RBAC-app-client.sh
$ more get-users-via-RBAC-app-client.sh
#!/bin/bash
#
# Note: To avoid HTTP 500 with PERMISSION_TOKEN_ERROR on your keycloak server KEYCLOAK_URL must match your
# auth-server-url in your application.properties file:
# quarkus.oidc.auth-server-url=http://localhost:8280
#
SECRET=0a32b2ad-7b58-4c5b-bffe-7d3673fe70a3
KEYCLOAK_URL="http://localhost:8280"
REALM="RBAC"
#REALM="master"
#PASSWORD="admin"
PASSWORD="xxx"
CLIENTID="app-client"
#
# For https:
# KEYCLOAK_URL="https://localhost:8543
#
if [ -z "$1" ]; then
echo -e "\nPlease call '$0 <username> to run this script!\n"
exit 1
fi
USERNAME=$1
echo -e "\n *** Run curl test for user $USERNAME with secret: $SECRET and Keylcloak URL: $KEYCLOAK_URL - CLIENT_ID: $CLIENTID - REALM: $REALM \n\n"
echo -e "\n*** Testing getting the token - If this fails validate your client secret"
curl -X POST \
${KEYCLOAK_URL}/auth/realms/${REALM}/protocol/openid-connect/token \
-H 'Accept: application/json' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'cache-control: no-cache' \
-d "grant_type=password&username=${USERNAME}&password=${PASSWORD}&client_id=${CLIENTID}&client_secret=${SECRET}"
echo -e "\n\n"
echo -e "\n*** Saving token access_token variable"
#
export access_token=$(\
curl -X POST \
${KEYCLOAK_URL}/auth/realms/${REALM}/protocol/openid-connect/token \
-H 'Accept: application/json' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'cache-control: no-cache' \
-d "grant_type=password&username=${USERNAME}&password=${PASSWORD}&client_id=${CLIENTID}&client_secret=${SECRET}" | jq --raw-output '.access_token' \
)
echo -e "\n*** Testing HTTP GET Request"
curl -v -X GET ${KEYCLOAK_URL}/auth/admin/realms/RBAC/users -H "Authorization: Bearer "$access_token
echo -e "\n********************************************************\n\n"
Be First to Comment