search

p2-inc / keycloak-orgs

Single realm, multi-tenancy for SaaS apps
https://phasetwo.io
Other
389 stars 66 forks source link

Organization resource 404 not found #31

Closed mAlaliSy closed 1 year ago

mAlaliSy commented 1 year ago

Dears, I am using the phase2 Keycloak image but I am getting 404 when I am trying to create an organization using this link: /auth/realms/customers/orgs

I am authenticated using admin-cli client (as mentioned in the docs examples), also tried to give the roles of view-organizations, manage-organizations, create-organization But it didn't work, I also tried with another client that has 'realm-management' role and didn't work.

I can't authenticate using the 'realm-management' client because I get this error from Keycloak:

{
    "error": "invalid_client",
    "error_description": "Bearer-only not allowed"
}

I appreciate your support as I have an urgent project that I am working on.

xgp commented 1 year ago

Please post the entire requests you are using (both to get the token and to create the organization, including headers. It would also be useful to know the configuration of the Client you are using.

mAlaliSy commented 1 year ago

Hi, Thanks for the quick reply, here is the request to get the token using the admin-cli client:

curl --location --request POST 'http://192.168.100.91:9080/realms/customers/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=admin-cli' \
--data-urlencode 'client_secret=tJwb6Z4AXd4ZYozLBu129Ap9rKonNfWQ'

Client configuration for admin-cli, I am not sure if I have to add those roles, as the documentation does not state that in the authentication section:

Screen Shot 2023-01-30 at 3 43 18 PM

The request to create the organization:

curl --location --request POST 'http://192.168.100.91:9080/auth/realms/customers/orgs' \
--header 'Authorization: Bearer ***token from previous call***' \
--header 'Content-Type: application/json' \
--data-raw '{
    "name": "Org name",
    "id": "OrgId",
    "realm": "customers"
}'

Response:

{
    "error": "RESTEASY003210: Could not find resource for full path: http://192.168.100.91:9080/auth/realms/customers/orgs"
}

Here is the request to obtain the token using the realm-management client, I think this is a Keycloak thing but I appreciate your help:

curl --location --request POST 'http://192.168.100.91:9080/realms/customers/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=realm-management' \
--data-urlencode 'client_secret=IIvF51RlZk5eBTKQN9hMfr1OVCy7McLh'

Response:

{
    "error": "invalid_client",
    "error_description": "Bearer-only not allowed"
}
xgp commented 1 year ago

You're getting a 404 with your orgs request because you have your http relative path set to "/". A few releases ago, Keycloak switched it from "/auth" to "/". Your orgs url should be http://192.168.100.91:9080/realms/customers/orgs.

I don't think you want to use the realm-management client. The admin-cli is fine.

mAlaliSy commented 1 year ago

Thanks, that fixed the 404 but I am getting 401 now, I will open a new issue for reference in case anybody is missing what I am missing.

xgp commented 1 year ago

You are probably getting a 401 because you added the roles to the client rather than the service account. Try adding them to the user or the service account you are authenticating with.