I am trying to get and change some specific user (name, surname, email, etc), but my link returns some unknown error. This is my link: http://localhost:8080/admin/realms/space-realm/users. Can you please explain me what I am doing wrong? Will be very apprecaited.
This step is overview.
1 Find master access token URL
In my demo URL,
http://localhost:8180/auth/realms/master/protocol/openid-connect/token
This may help long life of access-token time if you needs to more space time to handle step 3 and 4
2 Get master token
run postman, use #1-4 URL
assign variable in tests tab
access-token variable will be use #3 and #4
var jsonData = JSON.parse(responseBody);
postman.setEnvironmentVariable("access-token", jsonData.access_token);
set the Key in Body tab with x-www-form-urlencoded option
Click Send button
Should be return OK 200 status and see the access token
3 Get space-realm user
I added one user, I will get this user information
In my get user list URL
http://localhost:8180/auth/admin/realms/space-realm/users
Use this variable in Authorization Tab
{{access-token}}
4 Update user properties with 3's user UI
set header
The status should be 204 No Content status
if get user information by id, get this result
with changed properties.
First, you need to get an access token for the service account through client credentials grant type flow that has the required roles to manage users in Keycloak. From the Box keycloak has the following hardcoded in the source code roles that allow doing something like that:
manage-users
view-users
query-users
Second. Perform needed requests to the Admin REST API endpoints of Keycloak - https://www.keycloak.org/docs-api/18.0/rest-api/#_users_resource with the retrieved access token in the Authorization Bearer header to manage the users.
Related
First let me describe the setup:
We have a frontend Angular based product from a different client team (not part of code we can easily modify), and a backend django based API server.
The front end logs in to a keycloak server, and when logged in, the backend gets an Auth header with a bearer token in every request.
From this, we are able to identify the logged in user as follows (using python-keycloak):
ret = keycloak.userinfo(bearer_token)
username = ret['preferred_username']
This is obviously very wasteful since it needs an extra network request to keycloak everytime - so we create a django user session instead and use that for session management.
Now when it comes to logging out, when the user logs out from the front end, we need to void the django session.
I've setup the "Back channel logout URL" on the keycloak realm settings to call some endpoint on the django server.
The endpoint gets called on logout, and it gets a "logout_token" value in the arguments.
Now I'm not sure how I am supposed to identify which user is logging out based on this token. How can this be done?
Thanks in advance...
I am not 100% sure about the soundness of you architecture. Nonetheless, regarding your particular question:
ret = keycloak.userinfo(bearer_token)
username = ret['preferred_username']
From the Keycloak book:
preferred_username This is the username of the authenticated user. You should avoid this
as a key for the user as it may be changed, and even refer to a
different user in the future. Instead, always use the sub field for
the user key.
From the OpenID connect specification one can read that:
OPs send a JWT similar to an ID Token to RPs called a Logout Token to
request that they log out. ID Tokens are defined in Section 2 of
[OpenID.Core].
The following Claims are used within the Logout Token:
iss REQUIRED. Issuer Identifier, (...)
sub OPTIONAL. Subject Identifier,(...)
aud REQUIRED. Audience(s), (...)
iat REQUIRED. Issued at time, (...)
jti REQUIRED. Unique identifier for the token, (...)
(...)
sid OPTIONAL. Session ID - String identifier for a Session. This represents a Session of a User Agent or device for a logged-in End-User at an RP. (..)
A Logout Token MUST contain either a sub or a sid Claim, and MAY contain both. If a sid Claim is not present, the intent is that all sessions at the RP for the End-User identified by the iss and sub Claims be logged out.
So you can try to use the claim 'sub', which is the unique identifier of the authenticated user. You would (probably) need to create the mapping between 'sub' and 'user' in your backend. Alternatively, you could use the same logic but applying it to 'sid' instead. There you would map the ID session of Keycloak to your own ID session.
However, my question is:
The front end logs in to a keycloak server, and when logged in, the
backend gets an Auth header with a bearer token in every request.
From that bearer token (which I am assuming to be an access token) can't you simply get 'preferred_username' (or better the 'sub' claim) from there? that would not require any extra call to the Keycloak server.
I am trying to build a REST API that will login to Facebook using socialite with lumen, a micro-service of Laravel. I have set up my Facebook app and configured the client_id, secret and access url accordingly.
The work flow is:
Here is the work flow
1.get user details from socialite
2.check the user existence with email ,if its exists execute auth::login, otherwise create a new record in users table and redirect to profile.
The program now redirects me to Facebook, however once the user presses the login button, it returns the following error:
Client error: `POST https://graph.facebook.com/v3.3/oauth/access_token` resulted in a `400 Bad Request` response:
{"error":{"message":"This authorization code has been used.","type":"OAuthException","code":100,"error_subcode":*****,"f (truncated...)
I am confused as it has not been long since I generated the token and no user login/ permissions have changed, so the token should not be expired. Do I need to store the access token in a database in order to grant the user permission or is there some way to store it in a user's browser session?(I already have a database configured on forge for user name and email)
I want to make a rest call to my Keycloak server.
According to doc it should be easy: https://www.keycloak.org/docs-api/10.0/rest-api/index.html#_executeactionsemail
So before I'll start codeing I want to prepare Postman call, so my url is
http://localhost:8080/auth/admin/realms/test/users/12345/execute-actions-email
in raw body I'm providing ['UPDATE_PASSWORD']
and what I get is 401 Unauthorized and I can't get what I'm doing wrong?
Body:
Headers are default:
For accessing the Admin Rest API you need to pass on the admin token to REST CALLS:
You would have been prompted to create an admin account as soon as you would have opened {keycloak-url}/auth.
You can use this admin account to obtain the admin token as shown below.
Note that only change you have to do in below call is your keycloak server address and value of admin username and password.
You can pass the token obtain above on to the REST aPIs with Authroization header.
Please refer to my other SO post for a step by step guide to do this.
#tryingToLearn thank You so much!
I'll post what I did.
Get token for master realm admin account:
Call reset password service in test realm
I've had wrong body so correct body for this request is ["UPDATE_PASSWORD"] and You can notice 204 in the right bottom corner.
The second question is, is it possible to have special user in any realm, not master realm admin for getting a token?
There is documentation for test users in the Facebook Developer online documentation but how do you delete actual users where the application doesn't show in their app list anymore? This is with the knowledge of the access_token and facebook_user_id.
Used to delete Test Users:
https://graph.facebook.com/893450345999?method=delete&access_token=A2ADI1YMySweBABBGrWPNwKMlubZA5ZCrQbxwhtlEd9FIQUrOVjsGD3mnIWEbUhzDz7dkuBekMFdHvjvJ9CZAU7EMSSaZBsgN60FkMCi3AAZDZD
Running the test user link produces the following error:
"error": {
"message": "(#100) Can only call this method on valid test users for your app",
"type": "OAuthException",
"code": 100
}
You seek for application de-authorization:
You can de-authorize an application or revoke a specific extended permissions on behalf of a user by issuing an HTTP DELETE request to PROFILE_ID/permissions with a user access_token for that app.
permission - The permission you wish to revoke. If you don't specify a permission then this will de-authorize the application completely.
To achieve this issue request to:
https://graph.facebook.com/me/permissions?method=delete&access_token=...
Once application de-authorized it will not appear in the list of user's applications.
Update December 2021
Follow the reference for Requesting & Revoking Permissions:
To remove single permission issue a DELETE request to /{user-id}/permissions/{permission-name} passing user access token or an app access token
To de-authorize an app completely issue similar request to the /{user-id}/permissions endpoint
Real users 'delete' themselves from your app when they remove your app from their account, you don't have to do anything.
If you would like to know when users de-authorize your app like this, you can specify a Deauthorize Callback URL in your app's settings. As described in the docs at https://developers.facebook.com/docs/authentication/:
Upon app removal we will send an HTTP POST request containing a single parameter, signed_request, which, once decoded, will yield a JSON object containing the user_id of the user who just deauthorized your app. You will not receive an user access token in this request and all existing user access tokens that were previously issued on behalf of that user will become invalid.
UPDATE: To remove your own app from the user's authorized applications, issue an HTTP DELETE to https://graph.facebook.com/[userid]/permissions?access_token=... as per https://developers.facebook.com/docs/reference/api/user/.
Typically Graph API calls also support doing an HTTP POST with an extra parameter, method=DELETE, in case DELETE calls are not possible/supported.
To do it:
You must have the user access token.
Visit https://developers.facebook.com/tools/debug/accesstoken/ and debug the user access token.
Copy App-Scoped User ID
Via API call HTTP DELETE to https://graph.facebook.com/[App-Scoped User ID]/permissions?method=delete&access_token=[YOUR-APP-ACCESS-TOKEN]
On this page:
http://developers.facebook.com/docs/opengraph/using-app-tokens/
It describes how to get the app access token, yet the token it returns is different than the one in the open Graph "Get Code" example. The latter is the only one that works. How can I get the second access token using the API? When I try to use the first example, I basically get something back that looks like "application ID|secret key" which is different than the real access token.
as documentation states, you will get
access_token=YOUR_APP_ACCESS_TOKEN
string back from the API call. Even though it LOOKS like "application ID|secret key HASH" - it is a valid access token you can use to publish to user's wall. You can verify it's a proper access token using Debug toll from FB: https://developers.facebook.com/tools/debug - just paste the token there.
The reason it might not work for you is because you are trying to publish something to the user's wall who did not authorize your app. Look here: https://developers.facebook.com/docs/reference/javascript/ - for example of how to use your app ID to make user authorize the app. You need to request publish_stream permission for your app from user in order to be able to publish as the app to the user's wall.
And going back to the documentation:
Note that the app access token is for publishing purposes permitted by
the publish_actions and publish_stream permissions. You will be unable
to retrieve information about the status update post with the given ID
using the app access token. Instead, you should use a user access
token for such purposes.
hope that helps.