search

p2-inc / keycloak-orgs

Single realm, multi-tenancy for SaaS apps
https://phasetwo.io
Other
389 stars 66 forks source link

Create organization using admin-cli gives Unauthorized error #32

Closed mAlaliSy closed 1 year ago

mAlaliSy commented 1 year ago

Dears, Thanks for your great effort in bringing this on and help.

I am getting 401 when I try to create an organization using the admin-cli. However, getting the organizations is working fine (no organizations, so the response is []).

Here is the request:

curl --location --request POST 'http://192.168.100.91:9080/realms/customers/orgs' \
--header 'Authorization: Bearer xxxx' \
--header 'Content-Type: application/json' \
--data-raw '{
  "id": "string",
  "name": "string",
  "displayName": "string",
  "url": "string",
  "realm": "string",
  "domains": [
    "string"
  ],
  "attributes": {}
}'

Are there any required roles? I have the following admin-cli roles:

Screen Shot 2023-01-30 at 3 43 18 PM

Here is the request to get the access token that I use in the above request:

curl --location --request POST 'http://192.168.100.91:9080/realms/customers/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=admin-cli' \
--data-urlencode 'client_secret=tJwb6Z4AXd4ZYozLBu129Ap9rKonNfWQ'
xgp commented 1 year ago

You added the roles to the client rather than the service account. In the "Service account roles" tab, add them there.

mAlaliSy commented 1 year ago

I have added them but I am still getting the same response

Screen Shot 2023-01-31 at 11 39 05 AM

Any idea?

xgp commented 1 year ago

I don't have time right now, but I'll try to reproduce later today.

mAlaliSy commented 1 year ago

Thanks, I really appreciate your quick response

mAlaliSy commented 1 year ago

Hi @xgp Any updates?

xgp commented 1 year ago

@mAlaliSy I wasn't able to reproduce your problem. Here is a script that I used to create an organization:

#!/bin/bash

read -p 'Host (format e.g. http://euc1.auth.ac ): ' host
read -p 'Realm: ' realm
printf "\nThis user must have create-organization, manage-organizations, and view-organizations realm-management roles in order to create and manage new Organizations.\n"
read -p 'Client ID: ' clientId
read -sp 'Client Secret: ' clientSecret

DIRECT_GRANT_RESPONSE=$(curl -i --request POST $host/auth/realms/$realm/protocol/openid-connect/token --header "Accept: application/json" --header "Content-Type: application/x-www-form-urlencoded" --data "grant_type=client_credentials&client_id=$clientId&client_secret=$clientSecret")
ACCESS_TOKEN=$(echo $DIRECT_GRANT_RESPONSE | grep "access_token" | sed 's/.*\"access_token\":\"\([^\"]*\)\".*/\1/g');

echo $ACCESS_TOKEN
curl $host/auth/realms/$realm/orgs  --header "Accept: application/json" --header "Authorization: Bearer $ACCESS_TOKEN"

curl -vv --request POST $host/auth/realms/$realm/orgs --header "Content-Type: application/json" --header "Accept: application/json" --header "Authorization: Bearer $ACCESS_TOKEN" -d '{"name":"example","displayName":"Example Org","url":"https://example.com"}'

curl $host/auth/realms/$realm/orgs  --header "Accept: application/json" --header "Authorization: Bearer $ACCESS_TOKEN"

One thing that might be causing your problem is the use of the admin-cli client. Although the Keycloak documentation indicates that it can be changed to a confidential OIDC client and used with a client ID/secret, I have encountered problems with this before. I would recommend creating a dedicated client for this kind of request as such:

https://user-images.githubusercontent.com/244253/216005682-ce88ca85-dba4-47c7-9b64-8702138754a4.mp4

mAlaliSy commented 1 year ago

Thanks for the demo, I was assigning newly created roles instead of the ones already defined by the extension. It's working now!

I really appreciate your help