Invoking KeyCloak's Admin REST API using client secrets

Question

The example using CURL at https://keycloak.gitbooks.io/server-developer-guide/content/v/2.2/topics/admin-rest-api.html works for me when running KeyCloak from its Docker image.

To move towards the final target shape of my application, I want to authenticate using a client ID and secret rather than username+password.

However, when I switch the admin-cli client over to 'service accounts enabled', access type confidential, and obtain a token with the following call:

curl -d "client_id=admin-cli" -d "client_id=admin-cli" -d "client_secret=xxxx" -d "grant_type=client_credentials" "http://localhost:8080/auth/realms/master/protocol/openid-connect/token"

That token results in a 403 error from calls to the admin REST API. Have I done something wrong?

Answer 1

Here's how I implemented client_credentials on admin-cli:

1. enable 'Service Accounts' as you say
2. set 'Access Types' to confidential - this enables it for use of client_secret and assigns the secret (Credentials tab).
3. on 'Service Accounts' tab, grant the Service Account the realm-admin role from the realm-management client role

Since I was doing this for the admin-cli client under a specific realm, you can change the realm from 'master' to whatever your realm is, in my case EEC-RLM:

http://192.168.101.139:8080/auth/realms/EEC-RLM/protocol/openid-connect/token

For completeness, when you call the admin uri you'll set the Authorization header to 'Bearer access_token' where access_token is the access_token returned from the /token uri, above. In my case, I call:

http://192.168.101.139:8080/auth/admin/realms/EEC-RLM/users

The documentation's not necessarily particularly clear when it relates to the actual URLs to call: I initially thought that these operations were always on the master realm for instance, which is not the case.

Answer 2

I had the same problem and after a loooong time I figured it out (btw I'm using keycloak v7.0.0).

This is what you need to do:

• Add a new confidential client to the realm master
• For that client, enable the option Service Accounts Enabled
• On the Mappers tab, create a new custom "Audience" mapper:
  • Name: aud-mapper
  • Mapper type: Audience
  • Included Client Audience: security-admin-console

It should look like this:

Finally, go to the "Service Account Roles" tab and assign the role 'admin' (or the one you want) to the client service client.

After that, you can get an admin token coined to your client and use it against the Admin REST API.:

#!/usr/bin/env python
import requests
import json

headers = {"Content-Type": "application/x-www-form-urlencoded"}
url = "https://localhost:8080/auth/realms/master/protocol/openid-connect/token"
session = requests.Session()

grant_type='client_credentials'

client_id = "super-client"              # change this one
client_secret = "super-client-secret"   # change this one

payload = "scope=openid&client_id={0}&grant_type={1}&client_secret={2}".format(
            client_id, grant_type, client_secret)

ret = session.post(url=url, headers=headers, data=payload)
token_object = json.loads(ret.text)
print (token_object['access_token'])