Basic authentication for SCIM endpoints

[giovannialbero1992]

Hi @Captain-P-Goldfish, I have a stupid question (or I hope that can be stupid :sweat: ), is there the possibility to call the SCIM's endpoint with basic authentication?

for example curl -XGET http://localhost:8080/auth/realms/test/scim/v2/Groups -u admin:password ?

It could be very useful

Thanks again

[Captain-P-Goldfish]

It is indirectly possible if you use the OAuth2 ClientCredentialsGrant. In this case you can receive a valid token by accessing the token-endpoint directly with basic authentication. If the lifetime of the tokens are your problem you are able to configure the token lifetime per client and per realm. If you want to try it with the ClientCredentialsGrant you need to enable ServiceAccount at the clients configuration. After that a new tab should appear called "Service Account" where you can add realm-roles. The client acts as user and client if service account is enabled. Afterwards you can increase the lifetime of the token to 1 day or something similiar. Just be sure to be cautios on productive environments with long living tokens.

Does this help?

[giovannialbero1992]

Thanks @Captain-P-Goldfish but the only method that I have to communicate with SCIM endpoints is via basic authentication. Your suggestion pass throw a token release, or am I missing something?

[Captain-P-Goldfish]

You are using curl right? So you still have the possibility to authenticate with Bearer tokens by setting the authorization-header manually:

curl -H "Authorization: Bearer ${TOKEN}" http://localhost:8080/auth/realms/test/scim/v2/Groups 

But there is unfortunately no way that I will start messing around with the login mechanisms of keycloak. At least I cannot see why the only possible authentication form should be basic.

[giovannialbero1992]

I know :-) ... the endpoint will be consumed by legacy software and I don't have control over it :( ... I'm looking for a solution

[Captain-P-Goldfish]

In this case I am afraid I cannot help. Adding alternative login mechanisms would potentially hold some unwanted security risks that I might open into keycloak and I would like to avoid this.

[Captain-P-Goldfish]

Fell free to reopen if you got another idea or solution we could come up with but this is out of scope for this project I'm afraid

[giovannialbero1992]

Thanks @Captain-P-Goldfish .

I tried also with your suggestion but I received an error with "unauthenticated". I tried service account and a user but nothing.

[Captain-P-Goldfish]

works for me. Just tried:

curl -X POST -u my-scim-client:c6cfad8b-fb5e-416e-95d9-6180ddd2d273 -H "Content-Type: application/x-www-form-urlencoded" --data "client_id=my-scim-client&grant_type=client_credentials" http://localhost:8080/auth/realms/scim/protocol/openid-connect/token

and got

{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIwM1MzN1FoLXFKemk1U3M5MTdfcTZ1Y2NuR2FYMXJFQXJFN1FoYUpjc2dBIn0.eyJleHAiOjE2MjY4MzU3MDYsImlhdCI6MTYyNjc5OTcwNiwianRpIjoiZmYwNjBjMTYtMjZkMi00MGE1LWJhZGMtODUzNDQ3M2IxZjBiIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL2F1dGgvcmVhbG1zL3NjaW0iLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiZDAyZDM3MWQtOTE2ZC00YTUxLWJiZWYtYzdhM2RmOWIzZTI2IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoibXktc2NpbS1jbGllbnQiLCJhY3IiOiIxIiwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm9mZmxpbmVfYWNjZXNzIiwiZGVmYXVsdC1yb2xlcy1zY2ltIiwidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6InByb2ZpbGUgZW1haWwiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsImNsaWVudElkIjoibXktc2NpbS1jbGllbnQiLCJjbGllbnRIb3N0IjoiMTI3LjAuMC4xIiwicHJlZmVycmVkX3VzZXJuYW1lIjoic2VydmljZS1hY2NvdW50LW15LXNjaW0tY2xpZW50IiwiY2xpZW50QWRkcmVzcyI6IjEyNy4wLjAuMSJ9.CaXmUO0M2H4gTKqy_V7z0PkwYXoGqBRT4uF3d_kNvFGp4p2pSAbcNbrAETavf8hEFLrvvzjUe1iLpmCE74uttznQYo1J2OQydoK3QIqC_xxYL9kaNewWb1qHcFcitHs5V2EtnZDvdQM7y8tekgGIDLRQjQOJAP6R-ovB3k48WNPTIRWf2sWaF90RAhaqjAsLMb-HESWOC7YkEfPHm3yxVL9YoMVEktIFM_4DRqZJwGp7CFxvAwID69NvtWdFJk7PwIcgV3tEgC8NUDijWY8PmPLwdPIoRnwtR36lQX8vWkqMT72LSyrE2PN7FAROsOeoJf6jxQOkkPvmjaYA5stlAA","expires_in":36000,"refresh_expires_in":0,"token_type":"Bearer","not-before-policy":0,"scope":"profile email"}

store token in variable

BEARER=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIwM1MzN1FoLXFKemk1U3M5MTdfcTZ1Y2NuR2FYMXJFQXJFN1FoYUpjc2dBIn0.eyJleHAiOjE2MjY4MzU3MDYsImlhdCI6MTYyNjc5OTcwNiwianRpIjoiZmYwNjBjMTYtMjZkMi00MGE1LWJhZGMtODUzNDQ3M2IxZjBiIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL2F1dGgvcmVhbG1zL3NjaW0iLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiZDAyZDM3MWQtOTE2ZC00YTUxLWJiZWYtYzdhM2RmOWIzZTI2IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoibXktc2NpbS1jbGllbnQiLCJhY3IiOiIxIiwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm9mZmxpbmVfYWNjZXNzIiwiZGVmYXVsdC1yb2xlcy1zY2ltIiwidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6InByb2ZpbGUgZW1haWwiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsImNsaWVudElkIjoibXktc2NpbS1jbGllbnQiLCJjbGllbnRIb3N0IjoiMTI3LjAuMC4xIiwicHJlZmVycmVkX3VzZXJuYW1lIjoic2VydmljZS1hY2NvdW50LW15LXNjaW0tY2xpZW50IiwiY2xpZW50QWRkcmVzcyI6IjEyNy4wLjAuMSJ9.CaXmUO0M2H4gTKqy_V7z0PkwYXoGqBRT4uF3d_kNvFGp4p2pSAbcNbrAETavf8hEFLrvvzjUe1iLpmCE74uttznQYo1J2OQydoK3QIqC_xxYL9kaNewWb1qHcFcitHs5V2EtnZDvdQM7y8tekgGIDLRQjQOJAP6R-ovB3k48WNPTIRWf2sWaF90RAhaqjAsLMb-HESWOC7YkEfPHm3yxVL9YoMVEktIFM_4DRqZJwGp7CFxvAwID69NvtWdFJk7PwIcgV3tEgC8NUDijWY8PmPLwdPIoRnwtR36lQX8vWkqMT72LSyrE2PN7FAROsOeoJf6jxQOkkPvmjaYA5stlAA

then

curl -H "Authorization: Bearer ${BEARER}" http://localhost:8080/auth/realms/scim/scim/v2/Users

and eventually received

{"schemas":["urn:ietf:params:scim:api:messages:2.0:ListResponse"],"totalResults":1,"itemsPerPage":1,"startIndex":1,"Resources":[{"schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],"id":"586cded0-8bb6-4020-b262-bf0ebfa49cf2","userName":"my-test-user","active":true,"meta":{"resourceType":"User","created":"2021-07-20T16:50:38.717Z","lastModified":"2021-07-20T16:50:38.717Z","location":"http://localhost:8080/auth/realms/scim/scim/v2/Users/586cded0-8bb6-4020-b262-bf0ebfa49cf2"}}]}

Works perfectly fine for me

[giovannialbero1992]

Ok, I understood 😅... I caught my error 😁 Thanks for the patience

[Captain-P-Goldfish]

glad it works :-)