Closed giovannialbero1992 closed 3 years ago
It is indirectly possible if you use the OAuth2 ClientCredentialsGrant. In this case you can receive a valid token by accessing the token-endpoint directly with basic authentication. If the lifetime of the tokens are your problem you are able to configure the token lifetime per client and per realm. If you want to try it with the ClientCredentialsGrant you need to enable ServiceAccount at the clients configuration. After that a new tab should appear called "Service Account" where you can add realm-roles. The client acts as user and client if service account is enabled. Afterwards you can increase the lifetime of the token to 1 day or something similiar. Just be sure to be cautios on productive environments with long living tokens.
Does this help?
Thanks @Captain-P-Goldfish but the only method that I have to communicate with SCIM endpoints is via basic authentication. Your suggestion pass throw a token release, or am I missing something?
You are using curl right? So you still have the possibility to authenticate with Bearer tokens by setting the authorization-header manually:
curl -H "Authorization: Bearer ${TOKEN}" http://localhost:8080/auth/realms/test/scim/v2/Groups
But there is unfortunately no way that I will start messing around with the login mechanisms of keycloak. At least I cannot see why the only possible authentication form should be basic.
I know :-) ... the endpoint will be consumed by legacy software and I don't have control over it :( ... I'm looking for a solution
In this case I am afraid I cannot help. Adding alternative login mechanisms would potentially hold some unwanted security risks that I might open into keycloak and I would like to avoid this.
Fell free to reopen if you got another idea or solution we could come up with but this is out of scope for this project I'm afraid
Thanks @Captain-P-Goldfish .
I tried also with your suggestion but I received an error with "unauthenticated". I tried service account and a user but nothing.
works for me. Just tried:
curl -X POST -u my-scim-client:c6cfad8b-fb5e-416e-95d9-6180ddd2d273 -H "Content-Type: application/x-www-form-urlencoded" --data "client_id=my-scim-client&grant_type=client_credentials" http://localhost:8080/auth/realms/scim/protocol/openid-connect/token
and got
{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIwM1MzN1FoLXFKemk1U3M5MTdfcTZ1Y2NuR2FYMXJFQXJFN1FoYUpjc2dBIn0.eyJleHAiOjE2MjY4MzU3MDYsImlhdCI6MTYyNjc5OTcwNiwianRpIjoiZmYwNjBjMTYtMjZkMi00MGE1LWJhZGMtODUzNDQ3M2IxZjBiIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL2F1dGgvcmVhbG1zL3NjaW0iLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiZDAyZDM3MWQtOTE2ZC00YTUxLWJiZWYtYzdhM2RmOWIzZTI2IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoibXktc2NpbS1jbGllbnQiLCJhY3IiOiIxIiwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm9mZmxpbmVfYWNjZXNzIiwiZGVmYXVsdC1yb2xlcy1zY2ltIiwidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6InByb2ZpbGUgZW1haWwiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsImNsaWVudElkIjoibXktc2NpbS1jbGllbnQiLCJjbGllbnRIb3N0IjoiMTI3LjAuMC4xIiwicHJlZmVycmVkX3VzZXJuYW1lIjoic2VydmljZS1hY2NvdW50LW15LXNjaW0tY2xpZW50IiwiY2xpZW50QWRkcmVzcyI6IjEyNy4wLjAuMSJ9.CaXmUO0M2H4gTKqy_V7z0PkwYXoGqBRT4uF3d_kNvFGp4p2pSAbcNbrAETavf8hEFLrvvzjUe1iLpmCE74uttznQYo1J2OQydoK3QIqC_xxYL9kaNewWb1qHcFcitHs5V2EtnZDvdQM7y8tekgGIDLRQjQOJAP6R-ovB3k48WNPTIRWf2sWaF90RAhaqjAsLMb-HESWOC7YkEfPHm3yxVL9YoMVEktIFM_4DRqZJwGp7CFxvAwID69NvtWdFJk7PwIcgV3tEgC8NUDijWY8PmPLwdPIoRnwtR36lQX8vWkqMT72LSyrE2PN7FAROsOeoJf6jxQOkkPvmjaYA5stlAA","expires_in":36000,"refresh_expires_in":0,"token_type":"Bearer","not-before-policy":0,"scope":"profile email"}
store token in variable
BEARER=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIwM1MzN1FoLXFKemk1U3M5MTdfcTZ1Y2NuR2FYMXJFQXJFN1FoYUpjc2dBIn0.eyJleHAiOjE2MjY4MzU3MDYsImlhdCI6MTYyNjc5OTcwNiwianRpIjoiZmYwNjBjMTYtMjZkMi00MGE1LWJhZGMtODUzNDQ3M2IxZjBiIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL2F1dGgvcmVhbG1zL3NjaW0iLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiZDAyZDM3MWQtOTE2ZC00YTUxLWJiZWYtYzdhM2RmOWIzZTI2IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoibXktc2NpbS1jbGllbnQiLCJhY3IiOiIxIiwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm9mZmxpbmVfYWNjZXNzIiwiZGVmYXVsdC1yb2xlcy1zY2ltIiwidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6InByb2ZpbGUgZW1haWwiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsImNsaWVudElkIjoibXktc2NpbS1jbGllbnQiLCJjbGllbnRIb3N0IjoiMTI3LjAuMC4xIiwicHJlZmVycmVkX3VzZXJuYW1lIjoic2VydmljZS1hY2NvdW50LW15LXNjaW0tY2xpZW50IiwiY2xpZW50QWRkcmVzcyI6IjEyNy4wLjAuMSJ9.CaXmUO0M2H4gTKqy_V7z0PkwYXoGqBRT4uF3d_kNvFGp4p2pSAbcNbrAETavf8hEFLrvvzjUe1iLpmCE74uttznQYo1J2OQydoK3QIqC_xxYL9kaNewWb1qHcFcitHs5V2EtnZDvdQM7y8tekgGIDLRQjQOJAP6R-ovB3k48WNPTIRWf2sWaF90RAhaqjAsLMb-HESWOC7YkEfPHm3yxVL9YoMVEktIFM_4DRqZJwGp7CFxvAwID69NvtWdFJk7PwIcgV3tEgC8NUDijWY8PmPLwdPIoRnwtR36lQX8vWkqMT72LSyrE2PN7FAROsOeoJf6jxQOkkPvmjaYA5stlAA
then
curl -H "Authorization: Bearer ${BEARER}" http://localhost:8080/auth/realms/scim/scim/v2/Users
and eventually received
{"schemas":["urn:ietf:params:scim:api:messages:2.0:ListResponse"],"totalResults":1,"itemsPerPage":1,"startIndex":1,"Resources":[{"schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],"id":"586cded0-8bb6-4020-b262-bf0ebfa49cf2","userName":"my-test-user","active":true,"meta":{"resourceType":"User","created":"2021-07-20T16:50:38.717Z","lastModified":"2021-07-20T16:50:38.717Z","location":"http://localhost:8080/auth/realms/scim/scim/v2/Users/586cded0-8bb6-4020-b262-bf0ebfa49cf2"}}]}
Works perfectly fine for me
Ok, I understood 😅... I caught my error 😁 Thanks for the patience
glad it works :-)
Hi @Captain-P-Goldfish, I have a stupid question (or I hope that can be stupid :sweat: ), is there the possibility to call the SCIM's endpoint with basic authentication?
for example
curl -XGET http://localhost:8080/auth/realms/test/scim/v2/Groups -u admin:password
?It could be very useful
Thanks again