How to reset user password in keycloak using REST API - postman

I want to make a rest call to my Keycloak server.
According to doc it should be easy: https://www.keycloak.org/docs-api/10.0/rest-api/index.html#_executeactionsemail
So before I'll start codeing I want to prepare Postman call, so my url is
http://localhost:8080/auth/admin/realms/test/users/12345/execute-actions-email
in raw body I'm providing ['UPDATE_PASSWORD']
and what I get is 401 Unauthorized and I can't get what I'm doing wrong?
Body:
Headers are default:

For accessing the Admin Rest API you need to pass on the admin token to REST CALLS:
You would have been prompted to create an admin account as soon as you would have opened {keycloak-url}/auth.
You can use this admin account to obtain the admin token as shown below.
Note that only change you have to do in below call is your keycloak server address and value of admin username and password.
You can pass the token obtain above on to the REST aPIs with Authroization header.
Please refer to my other SO post for a step by step guide to do this.

#tryingToLearn thank You so much!
I'll post what I did.
Get token for master realm admin account:
Call reset password service in test realm
I've had wrong body so correct body for this request is ["UPDATE_PASSWORD"] and You can notice 204 in the right bottom corner.
The second question is, is it possible to have special user in any realm, not master realm admin for getting a token?

Related

Keycloak v.18: How to manipulate with users using Keycloak API

I am trying to get and change some specific user (name, surname, email, etc), but my link returns some unknown error. This is my link: http://localhost:8080/admin/realms/space-realm/users. Can you please explain me what I am doing wrong? Will be very apprecaited.
This step is overview.
1 Find master access token URL
In my demo URL,
http://localhost:8180/auth/realms/master/protocol/openid-connect/token
This may help long life of access-token time if you needs to more space time to handle step 3 and 4
2 Get master token
run postman, use #1-4 URL
assign variable in tests tab
access-token variable will be use #3 and #4
var jsonData = JSON.parse(responseBody);
postman.setEnvironmentVariable("access-token", jsonData.access_token);
set the Key in Body tab with x-www-form-urlencoded option
Click Send button
Should be return OK 200 status and see the access token
3 Get space-realm user
I added one user, I will get this user information
In my get user list URL
http://localhost:8180/auth/admin/realms/space-realm/users
Use this variable in Authorization Tab
{{access-token}}
4 Update user properties with 3's user UI
set header
The status should be 204 No Content status
if get user information by id, get this result
with changed properties.
First, you need to get an access token for the service account through client credentials grant type flow that has the required roles to manage users in Keycloak. From the Box keycloak has the following hardcoded in the source code roles that allow doing something like that:
manage-users
view-users
query-users
Second. Perform needed requests to the Admin REST API endpoints of Keycloak - https://www.keycloak.org/docs-api/18.0/rest-api/#_users_resource with the retrieved access token in the Authorization Bearer header to manage the users.

How does Djoser JWT login flow works

So I've been trying to use Djoser JWT and I don't know how to login in it. As far as I know you create a request with your login credentials to this url /jwt/create/ and get the access and refresh token and maybe get the user object from /users/me/. This is where I got stuck, where do I go from here?
You correctly understood the first step of the process. Basically, you can now:
Add the access token in the header of your next requests.
This will transparently authenticate the user thanks to the Simple JWT plugin and you will be able to access him with the usual request.user in the views.
Refresh the access token each time you get a 401 response.
The access token is supposed to be short-living for security concerns and a 401 response from the server indicates that the one your are using is expired. So you have to get a new one by sending the refresh token to the token/refresh/ API and, then, make your request again.
You can read this article if you need more detailed explanations about this process or JWT.

How to make REST api calls that needs auth_token?

I'm working on a Django-REST application that contains APIs that work with login mechanism.
I'm able to create API endpoints for login and logouts.
Login takes username, password and returns auth_token which is around 30 characters.
Logout takes auth_token and destroys it.
In between these login and logouts, there are few API calls that make use of auth_token.
How is it generally implemented ? How are the requests made with auth_token in general?
Where are those tokens stored? How do the backend validates it?
Can someone please explain me how it is done basically?
store the token in browser storage. and remove the token form browser storage on logout logic.
make sure you drf setting DEFAULT_AUTHENTICATION_CLASSES list contain TokenAuthentication class before SessionAuthentication , rest_framework.authtoken in you setting install app.
for any api call just attach the token like (Token your_toke) I mean "Toke" then space the your token and attach it to your request authentication header of the ajax request

Working with django rest framework to authenticate a user with new token for every login

I would like to use django-rest-framework token to authenticate users. My workflow would be:
User requests a page
If auth token is present, respond with the requested data.
If auth token is not present, redirect to the login page (with the request page).
Inside the login page, user submit their credentials
If credentials were correctly authenticated, get or create a token for that user and redirect back to the requested page with the token.
Else, respond with error.
Lastly,
When the user logs out, delete the token for that user.
So my question is, is it okay to delete and create a new token for every login if the user has already logged out? Also I assume the token will be unique, am I correct? Your help and guidance is very much appreciated. Thank you.
A REST API should be stateless, that means that there should not be a "session" hence no login and no logout, and no redirections to a login page.
If the request doesn't have a token then the API should return (probably) a 401 Unauthorized HTTP status code and not a redirection. You're making an API so there won't be human interaction. Django rest framework offers a human-friendly interface that does have sessions, login/logout, and if that's all you need the go for it, you can do whatever you want. But It'd be hard for another program to use your API.
why not using tokens with expiration dates or using another well known authentication method ?? :P
Hope this helps :)

Authenticate a user on a GET API end point

Problem
I have a Django REST API with a GET end point which I want to restrict the access to admin users. This can be done by specifying
permission_classes = (IsAdminUser,)
in the view.
Now I am trying to test this end point with Postman but I have 2 problems:
It does not work, I get a message that says "Authentication credentials were not provided."
My credentials are sent visibly in the url (because this is a GET end point)
Questions
Why can't I get the expected answer from the end point when I use Postman? I am receiving what I want if I use curl <my_url> -u <user>:<password>.
How can I keep my API meaningful (i.e., not using POST when the goal of the end point is to retrieve data) while keeping critical credentials hidden?
Why do you pass auth details in the URL? You have a Basic Auth section in POSTMAN, where you can put you login credentials. POSTMAN will then set the correct headers for you.
Remember to set BasicAuthentication as your auth class in DRF view or settings.