CODEWITHSUNDEEP
javaspringspring-bootkeycloakkeycloak-services
Sairaj1417
Sairaj1417

Reputation: 13

Unable to receive Client Secret using keycloak admin cli endpoint

I am using the following endpoint: http://localhost:8083/auth/admin/realms/Myrealm/clients/ltiobf/client-secret

and getting the response as

{
  "error": "HTTP 401 Unauthorized"
}

I am getting the access token from Keycloak using the following:

curl --location --request POST 'http://localhost:8083/auth/realms/Myrealm/protocol/openid-connect/token' \
    --header 'cache-control: no-cache' \
    --header 'content-type: application/x-www-form-urlencoded' \
    --header 'postman-token: de7d68a0-5b21-1405-ed1a-9b7a6cb0da25' \
    --header 'Cookie: JSESSIONID=Sqb7zNt9Bk8OAx4vEjhjUDKQU_qw6K9B4jjJq69i.magistrate; XSRF-TOKEN=c620bf0f-a46a-41b4-bc30-558e96422123; JSESSIONID=gDz-86p4prmLkl12O7kx-8FdIcSAErBYhKitm5r8; JSESSIONID=Sqb7zNt9Bk8OAx4vEjhjUDKQU_qw6K9B4jjJq69i.magistratehq' \
    --data-urlencode 'client_id=ltiobf' \
    --data-urlencode 'username=sairaj1417' \
    --data-urlencode 'password=sairaj123' \
    --data-urlencode 'grant_type=password'

and passing it as an Authentication parameter in the GET request for client secret.

Upvotes: 1

Views: 2103

Answers (1)

dreamcrash
dreamcrash

Reputation: 51553

The access token should be one requested on behalf of a user with the proper permissions to request Tokens omitted by Keycloak:

curl    -d "client_id=admin-cli" \
        -d "username=$ADMIN_NAME" \
        -d "password=$ADMIN_PASSWORD" \
        -d "grant_type=password" \
        https://$KEYCLOAK_IP/auth/realms/master/protocol/openid-connect/token

with the admin-cli as the client ID. From that response (i.e., a Keycloak Token Object), extract the access token, let us named $ACCESS_TOKEN.

If you have access to the Admin console you can easily get the client secret by going to:

  • your Realm;
  • then click on clients and select your client;
  • Go to the tab credentials there you have it.

However, if you want to do it using the Keycloak Rest API, first you need to know the ID of the client, which can be obtained using :

curl -X GET https://<KEYCLOAK_IP>/auth/admin/realms/<REALM_NAME/clients?clientId=<CLIENT_ID> \ 
            -H "Authorization: bearer $ACCESS_TOKEN"

(the <CLIENT_ID> is basically the client name) from that response you need to extract the desired ID of the client. With that ID you can extract the client secret, using:

curl -X GET https://<KEYCLOAK_IP>/auth/admin/realms/<REALM_NAME/clients/<ID of the client>/client-secret \ 
            -H "Authorization: bearer $ACCESS_TOKEN"

I have created scripts in this repo to automatize this process so that the community can use them as they wish.

Upvotes: 1

Related Questions