Unauthenticated error while deleting all users in ScimClient (scim-for-keycloak-server)

[udayskm]

Hello @Captain-P-Goldfish, facing issues related to ScimClient

ScimClient.java

1) Base URLs are not updated as per the latest release. 2) While executing the code, lets say for deleting all users, although bearer token is provided, unauthenticated 401 is returned as response.

Following is the SCIM configuration for "test" realm:

Following is the response:

{ "detail": "not authenticated", "schemas": [ "urn:ietf:params:scim:api:messages:2.0:Error" ], "status": 401, "scimType": "unauthenticated" }

Tried from ScimClient as well as Postman. Same error persists.

Kindly let me know if I am missing anything!

[Captain-P-Goldfish]

Hi,

indeed I did not adjust the client module which serves as an example only so I didn't even think about that :-) For what reason do you use it?

[udayskm]

Hi, I enabled SCIM UI in Keycloak, I am trying to create Users and Groups for better understanding of SCIM using SCIM Client and found that it is not working.

From Postman, I tried to access RealmRoles and it is expecting credentials other than bearer token.

If not client, can you let me know how to use it from Postman?

[Captain-P-Goldfish]

I can't verify the behaviour you are experiencing. Here is what I did:

1. I enabled the SCIM endpoint in master realm on keycloak 18.0.2.
2. to make it fast and easy I used the public client admin-cli (make sure this is not possible in production mode by setting authorization rights at the SCIM endpoints)
3. I increased the access-token lifespan to 60 minutes because the default is set to 60 seconds which is difficult if you are working with postman for testing
4. I retrieved the access token for user admin:

   
   POST https://localhost:8443/realms/master/protocol/openid-connect/token
   Authorization: Basic YWRtaW4tY2xpOm5vdCtuZWNlc3Nhcnk=
   Content-Type: application/x-www-form-urlencoded

password=admin&grant_type=password&username=admin

5. and then I accessed the Realm SCIM endpoint like this:

GET https://localhost:8443/realms/master/scim/v2/RealmRoles Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICItbld1MGhIX1dTMnRDQjlvZFU5WExZelJuVHIyV3NQTDhOUHFUWGlnTGZJIn0.eyJleHAiOjE2NTk5Nzc2MzUsImlhdCI6MTY1OTk3NDAzNSwianRpIjoiYTAxNjVjMGUtNTFlNS00MjBiLTk3MTItZmY1OGFhNjMzZTZiIiwiaXNzIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6ODQ0My9yZWFsbXMvbWFzdGVyIiwic3ViIjoiNmI5OWEwNjMtY2NmMS00ZmFhLWI2NjYtMGE3MjJkNjQwMDBkIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiYWRtaW4tY2xpIiwic2Vzc2lvbl9zdGF0ZSI6ImNhNDAxMjJkLWI5MzctNDQ4MS1hN2FmLTk4ZDhjM2M2ZDgzMCIsImFjciI6IjEiLCJzY29wZSI6InByb2ZpbGUgZW1haWwiLCJzaWQiOiJjYTQwMTIyZC1iOTM3LTQ0ODEtYTdhZi05OGQ4YzNjNmQ4MzAiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIn0.2Yy6m_bJV8gfekWaS2Z57NvqhXxbTvl5qWYvdzUbmdkD0CVy9fgTbQWY1yiUzNgVD_3k2ZCYODDKkznw_B9PXMopjyWdFIzqt19L-ElvgOgx-t9unQduGHKFojWLfBWfxiB2dZ5ZUGio5u_ORW0ljGsRylmdIhXKCTki9q3aNLrbw8YwftEpcFsnAkwj5oxgapjMeTQeoPDEaqNJo5OEgIodrASCSTT_kWBpVycXPCeUuEZ7Df-TRWl5jLRZgHh8tI4jHv_S3qQ7DjS1J5chkyPMooK5CGVSmWcwGX9Kn4JAMMd8ABYRN3iZ4Pnjbj9FJdA658VG78fc5oS2poJtmA

I am not using postman since I got better options like IntelliJ so I can't give support there

EDIT:
I would guess that your problem is the access-token lifespan of 60 seconds. Increase it and I would guess you should be fine.

[udayskm]

I am trying to simulate the scenario from UI. Log in to Keycloak application and navigate to SCIM menu. Go to "Resources" tab. Enabled authentication for ResourceTypes.

Click on "Group/RealmRole/User" hyperlink and response is as follows:

{ "detail": "not authenticated", "schemas": [ "urn:ietf:params:scim:api:messages:2.0:Error" ], "status": 401, "scimType": "unauthenticated" }

Just working out-of-the-box and haven't assigned any groups/roles to even "admin" user.

Kindly let me know if I am misunderstanding the concept/usage.

[Captain-P-Goldfish]

that is correct behaviour. As you can see in the rigth green box Require Authentication is set to true so you will not be able to access these endpoints by just clicking the hyperlink. For testing purposes you could disable the authentication and then you will be directly able to access the hyperlink. Otherwise you will need to authenticate via OAuth2/OpenID Connect to access the SCIM endpoints.

Please make sure to not ignore the security-considerations part within the README. You do not want anyone having access to the realm to also have access to the SCIM endpoints.

[udayskm]

Thank you @Captain-P-Goldfish for explaining it. I am closing the ticket.