Introduction

rdf-pub needs access to to Keycloak users. Therefore we use a Service Account. In the following manual, you see, how to setup a client with service account.

How to

Create client

  • Logint to your keycloak Admin Console and open your realm.

  • Choose 'Clients' in thme menue on the left.

  • Click on 'Create' on the upper right.

createClient

  • give your client a name. E.g. rdf-pub and save the dialog.

nameTheClient

  • adjust the 'Access Type' to confidential

  • switch on 'Service Accounts Enabled'

  • configure a 'Valid Redirect URIs' e.g. http://localhost:8080 if you are testing a local rdf-pub instance.

  • Click on the 'save' Button on the bottom of the form

configureClient

  • go to the tab 'Credentials', there you can copy the 'Secret' key.

clientSecret

  • go to the tab 'Service Account Roles'

  • select 'realm-management' in the 'Client Roles' drop down.

  • Choose 'Available Role' → 'view-users'

  • Click on 'Add selected' Button

addRoleViewUsers

View after you clicked on 'Add selected':

roleViewUsersAdded

Test with postman

  • create new GET request in postman: http(s)://<host>:<port>/auth/admin/realms/<yourRealm>/users

  • Grant Type: Client Credentials

  • Access Token URL: http(s)://<host>:<port>/auth/realms/<yourRealm>/protocol/openid-connect/token

  • Client ID: 'rdf-pub' or any other name, you choosed while creating a client. See above

  • Client Secret: copy of the Secret in the tab 'Credentials'. See above

  • Click on 'Get New Access Token'

  • Click on 'Proceed' or wait a few seconds until the 'Get new access token dialog' is closing

  • Click on "Use Token"

  • Now postman added the requested token into the access token header.

  • after the token is expired, you have to redo the 'Get New Access Token' procedure.

  • Click on 'Send'

  • if you are a Lucky one, you hav now a list of usres iin the postman response window.

postman1

Test with Java

With a simple Unit Test you should also be able to access the users:

import org.jboss.resteasy.client.jaxrs.ResteasyClientBuilder;
import org.junit.jupiter.api.Test;
import org.keycloak.OAuth2Constants;
import org.keycloak.admin.client.Keycloak;
import org.keycloak.admin.client.KeycloakBuilder;
import org.keycloak.admin.client.resource.UsersResource;

class TestKeycloakAccess {

        @Test
        void test() {
                Keycloak keycloak = KeycloakBuilder.builder()
                            .serverUrl("https://login.m4h.network/auth")
                            .grantType(OAuth2Constants.CLIENT_CREDENTIALS)
                            .realm("LOA")
                            .clientId("rdf-pub")
                            .clientSecret("2293c6fd-7b11-427a-8656-d59be33ef119")
                            .resteasyClient(
                                new ResteasyClientBuilder()
                                    .connectionPoolSize(10).build()
                            ).build();

                UsersResource ur = keycloak.realm("LOA").users();
                ur.list().forEach(u->System.out.println(u.getUsername() + " - " + u.getEmail()));
        }
}