Keycloak -使用curl API创建具有“view_users”角色的Keycloak客户端

dohp0rv5  于 2023-03-30  发布在  其他
关注(0)|答案(1)|浏览(126)

我想在Keycloak上创建一个客户端,在运行curl API时定义了参数。在定义的参数中,我想向客户端添加“view_users”角色,该角色位于标题为“realm-management”的“Client Roles”中。我想用curl API重现此操作:Adding the "view_users" roleThe role "view_users" is assigned
目前,创建客户端的API请求如下所示:

curl --location --request POST "http://$ip:8180/auth/admin/realms/$realm/clients" \
    --header 'Content-Type: application/json' \
    -H "Authorization: bearer $TOKEN" \
    --data-raw '{
        "clientId": "test",
        "enabled": true,
        "consentRequired": false,
        "protocol": "openid-connect",
        "standardFlowEnabled": true,
        "implicitFlowEnabled": false,
        "directAccessGrantsEnabled": false,
        "serviceAccountsEnabled": true,
        "authorizationServicesEnabled": true,
        "rootUrl": "http://localhost:8180/test"
    }'

在“data-raw”中可能缺少一个字段,用于将“realm-management”客户端的“view_users”角色分配给我的测试客户端。您能帮助我找到此字段吗?或者您能建议一个替代解决方案吗?
提前感谢您的回答!

9jyewag0

9jyewag01#

无法在客户端创建时设置view_users角色。
它可以在创建后通过单独的API(客户端角色Map)进行分配

curl --location --request POST 'http://localhost:8180/auth/admin/realms/$REALM_NAME/users/$SERVICE_ACCOUNT_USER_ID/role-mappings/clients/$REALM_MANAGEMENT_CLIENT_ID' \
--header 'Authorization: Bearer $MASTER_TOKEN' \
--header 'Content-Type: application/json' \
--data-raw '[
    {
        "id":$VIEW_USER_ID,
        "name":"view-users",
        "description":"${role_view-users}",
        "composite":true,
        "clientRole":true,
        "containerId":$REALM_MANAGEMENT_CLIENT_ID
    }
]'

此API需要三项。

$SERVICE_ACCOUNT_USER_ID
$REALM_MANAGEMENT_CLIENT_ID
$VIEW_USER_ID

演示步骤

我正在使用Keycloak v18.0.2curljqgit bash terminalWindows 10
(It在linux中也没有问题)
因此,所有捕获的图像都将遵循curl命令。
步骤3和7是关键步骤

我将演示curl的所有API调用

#1设置{凭证、客户端名称、域名}

MASTER_USERNAME=admin
MASTER_PASSWORD=admin
REALM_NAME=my-realm
CLIENT_NAME=demo
echo '$MASTER_USERNAME = '$MASTER_USERNAME
echo 'MASTER_PASSWORD = '$MASTER_PASSWORD
echo 'REALM_NAME = '$REALM_NAME
echo 'CLIENT_NAME= '$CLIENT_NAME

#2获取主令牌

更多细节在这里

MASTER_TOKEN_URL=$(curl --location --request GET 'http://localhost:8180/auth/realms/master/.well-known/openid-configuration' | jq -r '.token_endpoint')
echo $MASTER_TOKEN_URL

MASTER_TOKEN=$(curl --location --request POST "$MASTER_TOKEN_URL" \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=admin-cli' \
--data-urlencode 'username='$MASTER_USERNAME \
--data-urlencode 'password='$MASTER_PASSWORD \
--data-urlencode 'grant_type=password' | jq -r '.access_token')
echo 'MASTER_TOKEN = '$MASTER_TOKEN

#3创建客户端

curl --location --request POST 'http://localhost:8180/auth/admin/realms/'$REALM_NAME'/clients' \
--header 'Authorization: Bearer '$MASTER_TOKEN \
--header 'Content-Type: application/json' \
--data-raw '{
    "clientId":"'$CLIENT_NAME'",
    "enabled":true,
    "consentRequired": false,
    "attributes":{},
    "serviceAccountsEnabled": true,
    "protocol":"openid-connect",
    "publicClient":false,
    "authorizationServicesEnabled": true,
    "clientAuthenticatorType":"client-secret",
    "redirectUris":["http://localhost:8180/demo"]
}'

#4获取{service-account-user-id}

SERVICE_ACCOUNT_USER_ID=$(curl --location --request GET 'http://localhost:8180/auth/admin/realms/'$REALM_NAME'/users/?username=service-account-'$CLIENT_NAME \
--header 'Authorization: Bearer '$MASTER_TOKEN | jq -r .[0].id)
echo 'SERVICE_ACCOUNT_USER_ID = '$SERVICE_ACCOUNT_USER_ID

#5获取{realm-management-client-id}

REALM_MANAGEMENT_CLIENT_ID=$(curl --location --request GET 'http://localhost:8180/auth/admin/realms/'$REALM_NAME'/clients' \
--header 'Authorization: Bearer '$MASTER_TOKEN | jq -r '. | map(select(.clientId == "realm-management")) | .[0].id')
echo 'REALM_MANAGEMENT_CLIENT_ID = '$REALM_MANAGEMENT_CLIENT_ID

#6获取{view_user_role_id}

VIEW_USERS_ID=$(curl --location --request GET 'http://localhost:8180/auth/admin/realms/'$REALM_NAME'/clients/'$REALM_MANAGEMENT_CLIENT_ID'/roles' \
--header 'Authorization: Bearer '$MASTER_TOKEN | jq -r '. | map(select(.name == "view-users")) | .[0].id')
echo 'VIEW_USERS_ID = '$VIEW_USERS_ID

#7为客户端分配view-users角色

curl --location --request POST 'http://localhost:8180/auth/admin/realms/'$REALM_NAME'/users/'$SERVICE_ACCOUNT_USER_ID'/role-mappings/clients/'$REALM_MANAGEMENT_CLIENT_ID \
--header 'Authorization: Bearer '$MASTER_TOKEN \
--header 'Content-Type: application/json' \
--data-raw '[
    {
        "id":"'$VIEW_USERS_ID'",
        "name":"view-users",
        "description":"${role_view-users}",
        "composite":true,
        "clientRole":true,
        "containerId":"'$REALM_MANAGEMENT_CLIENT_ID'"
    }
]'

#8确认

最后可以通过curl或者UI来确认

curl --location --request GET 'http://localhost:8180/auth/admin/realms/my-realm/users/'$SERVICE_ACCOUNT_USER_ID'/role-mappings/clients/'$REALM_MANAGEMENT_CLIENT_ID \
--header 'Authorization: Bearer '$MASTER_TOKEN | jq --indent 4

相关问题