Unable to create Keycloak realm via the rest admin API: Unsupported Media Type

Question

I am using keycloak 4.8.3 and I am trying to create a new realm and user(s) using the admin api. According to the documentation , it looks like it is the import call. Assuming I am running keycloak on localhost, the api url should look like http://localhost:8080/auth/. I am also a little bit confused by the doc which isn't explicit on the exact path other than POST / so not sure if it's POST /admin/realms.

I have started working on this using ansible and since not getting making any head way , I turned to plain REST. I have used the master username and password to get a token calling /auth/realms/master/protocol/openid-connect/token. It looks like with the POST request/response below, I am either calling the wrong url, or making call with the wrong Content-Type (tried sending only {"realm": "somerealm"} with the form url encoded type and keycloak only returns OK etc but nothing gets created).

> POST /auth/ HTTP/1.1
> Host: localhost:8080
> User-Agent: insomnia/6.5.4
> Content-Type: application/json
> Authorization: bearer eyJhbGcisomelongbearertoken"
> Accept: */*
> Content-Length: 373

| {
|   "realm": "somerealm",
|   "displayName": "somerealm",
|   "enabled": true,
|   "users": [
|       {
|           "email": "[email protected]",
|           "enabled": true,
|           "firstName": "APIGateway",
|           "lastName": "SomeProject",
|           "usename": "api-manager",
|           credentials: [
|               {
|                   "temporary": false,
|                   "type": "password",
|                   "value": "somedecentpassword"
|               }
|           ]
|       }
|   ]
| }

* upload completely sent off: 373 out of 373 bytes

< HTTP/1.1 415 Unsupported Media Type
< Date: Tue, 25 Jun 2019 11:13:44 GMT
< Content-Length: 0
< Connection: keep-alive

Can anyone hint on the issue above, I am on this for the past 24h and I think I need to come here and shout for help. Thanks in advance

Answer 1

1) While in the Keycloak web console click on the Clients tab and create a new confidential client (call it realm-creator), make sure to toggle the Service Accounts Enabled setting to ON

2) Go over to the Service account roles tab and assign the create-realm (from the Realm roles group) role to your client.

3) Get the access token (I'm using curl and jq)

KCHOST=https://yourkeycloak.com
REALM=master
CLIENT_ID=realm-creator
CLIENT_SECRET=xxxxxxx-yyyyyyyy-zzzzzzzzz

ACCESS_TOKEN=`curl \
  -d "client_id=$CLIENT_ID" -d "client_secret=$CLIENT_SECRET" \
  -d "grant_type=client_credentials" \
  "$KCHOST/auth/realms/$REALM/protocol/openid-connect/token"  | jq -r '.access_token'`

4) Put your realm into realm.json

5) Finally call the REST API endpoint:

curl -v -X POST \
  -H "Authorization: Bearer $ACCESS_TOKEN" \
  -H "Content-Type: application/json" \
  -d @realm.json \
  $KCHOST/auth/admin/realms

P.S. Btw, for debugging I have just written a CLI tool called brauzie that would help you fetch and analyse your JWT tokens (scopes, roles, etc.). It could be used for both public and confidential clients. You could as well use Postman and https://jwt.io if you wish to.

HTH :)

Answer 2

This is the most complete discussion on this topic that I can find, and the short answer is that as of July 2020 there is no way to completely automate a Keycloak deployment tha includes creating a new realm, because there are no API endpoints for creating a client with service account roles.

I presume the solutions presented in this topic have been taken away in recent versions. As of the most recent (10.0.2) version of Keycloak, POST requests to the realm creation API fail with a 500 error using the solutions listed in the thread linked below:

https://devops.stackexchange.com/questions/11078/creating-keycloak-realm-via-ansible

The only way to expose the client service role "create-realm" in this most recent version of Keycloak is to create a confidential client, which then exposes "service account roles" as a boolean option and list of properties on the confidential client if enabled, as maslick's reply states. At that point the user can add "create-realm" as a role allowed for the client.

However, there are no apparent "service account roles" endpoints or capabilities under the client creation API, so as of now the user must create such a client via the web console. The API can enable the boolean option for service account roles, but not add those roles to the client via the API. If you have to go into the web console to create the client, you can just as well point and click a new realm as well without trying to jump through these hoops.

This is a pretty obvious shortcoming on the part of the Keycloak API. The ability to POST new realms to the API should not have been taken away without the ability to create a client capable of doing so, also via the API.