Closed udayskm closed 1 year ago
Hi,
indeed I did not adjust the client module which serves as an example only so I didn't even think about that :-) For what reason do you use it?
Hi, I enabled SCIM UI in Keycloak, I am trying to create Users and Groups for better understanding of SCIM using SCIM Client and found that it is not working.
From Postman, I tried to access RealmRoles and it is expecting credentials other than bearer token.
If not client, can you let me know how to use it from Postman?
I can't verify the behaviour you are experiencing. Here is what I did:
POST https://localhost:8443/realms/master/protocol/openid-connect/token
Authorization: Basic YWRtaW4tY2xpOm5vdCtuZWNlc3Nhcnk=
Content-Type: application/x-www-form-urlencoded
password=admin&grant_type=password&username=admin
5. and then I accessed the Realm SCIM endpoint like this:
GET https://localhost:8443/realms/master/scim/v2/RealmRoles Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICItbld1MGhIX1dTMnRDQjlvZFU5WExZelJuVHIyV3NQTDhOUHFUWGlnTGZJIn0.eyJleHAiOjE2NTk5Nzc2MzUsImlhdCI6MTY1OTk3NDAzNSwianRpIjoiYTAxNjVjMGUtNTFlNS00MjBiLTk3MTItZmY1OGFhNjMzZTZiIiwiaXNzIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6ODQ0My9yZWFsbXMvbWFzdGVyIiwic3ViIjoiNmI5OWEwNjMtY2NmMS00ZmFhLWI2NjYtMGE3MjJkNjQwMDBkIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiYWRtaW4tY2xpIiwic2Vzc2lvbl9zdGF0ZSI6ImNhNDAxMjJkLWI5MzctNDQ4MS1hN2FmLTk4ZDhjM2M2ZDgzMCIsImFjciI6IjEiLCJzY29wZSI6InByb2ZpbGUgZW1haWwiLCJzaWQiOiJjYTQwMTIyZC1iOTM3LTQ0ODEtYTdhZi05OGQ4YzNjNmQ4MzAiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIn0.2Yy6m_bJV8gfekWaS2Z57NvqhXxbTvl5qWYvdzUbmdkD0CVy9fgTbQWY1yiUzNgVD_3k2ZCYODDKkznw_B9PXMopjyWdFIzqt19L-ElvgOgx-t9unQduGHKFojWLfBWfxiB2dZ5ZUGio5u_ORW0ljGsRylmdIhXKCTki9q3aNLrbw8YwftEpcFsnAkwj5oxgapjMeTQeoPDEaqNJo5OEgIodrASCSTT_kWBpVycXPCeUuEZ7Df-TRWl5jLRZgHh8tI4jHv_S3qQ7DjS1J5chkyPMooK5CGVSmWcwGX9Kn4JAMMd8ABYRN3iZ4Pnjbj9FJdA658VG78fc5oS2poJtmA
I am not using postman since I got better options like IntelliJ so I can't give support there
EDIT:
I would guess that your problem is the access-token lifespan of 60 seconds. Increase it and I would guess you should be fine.
I am trying to simulate the scenario from UI. Log in to Keycloak application and navigate to SCIM menu. Go to "Resources" tab. Enabled authentication for ResourceTypes.
Click on "Group/RealmRole/User" hyperlink and response is as follows:
{ "detail": "not authenticated", "schemas": [ "urn:ietf:params:scim:api:messages:2.0:Error" ], "status": 401, "scimType": "unauthenticated" }
Just working out-of-the-box and haven't assigned any groups/roles to even "admin" user.
Kindly let me know if I am misunderstanding the concept/usage.
that is correct behaviour.
As you can see in the rigth green box Require Authentication
is set to true so you will not be able to access these endpoints by just clicking the hyperlink. For testing purposes you could disable the authentication and then you will be directly able to access the hyperlink. Otherwise you will need to authenticate via OAuth2/OpenID Connect to access the SCIM endpoints.
Please make sure to not ignore the security-considerations
part within the README. You do not want anyone having access to the realm to also have access to the SCIM endpoints.
Thank you @Captain-P-Goldfish for explaining it. I am closing the ticket.
Hello @Captain-P-Goldfish, facing issues related to ScimClient
ScimClient.java
1) Base URLs are not updated as per the latest release. 2) While executing the code, lets say for deleting all users, although bearer token is provided, unauthenticated 401 is returned as response.
Following is the SCIM configuration for "test" realm:
Following is the response:
{ "detail": "not authenticated", "schemas": [ "urn:ietf:params:scim:api:messages:2.0:Error" ], "status": 401, "scimType": "unauthenticated" }
Tried from ScimClient as well as Postman. Same error persists.
Kindly let me know if I am missing anything!