如何在没有管理员帐户的情况下通过REST获取Keycloak用户 [英] How to get Keycloak users via REST without admin account

问题描述

是否可以使用管理员帐户通过REST WITHOUT 来获取Keycloak领域中的用户列表?也许是从管理控制台分配的某种角色?寻找任何想法.

Is there a way to get a list of users on a Keycloak realm via REST WITHOUT using an admin account? Maybe some sort of assignable role from the admin console? Looking for any ideas.

现在，我正在使用管理员凭据来获取访问令牌，然后使用该令牌从realm/users端点拉用户.

Right now I'm using admin credentials to grab an access token, then using that token to pull users from the realm/users endpoint.

获取令牌(通过request从node.js应用程序获取):

Getting the token (from node.js app via request):

uri: `${keycloakUri}/realms/master/protocol/openid-connect/token`,
form: {
  grant_type: 'password',
  client_id: 'admin-cli',
  username: adminUsername,
  password: adminPassword,
}

使用令牌:

uri: `${keycloakUri}/admin/realms/${keycloakRealm}/users`,
headers: {
  'authorization': `bearer ${passwordGrantToken}`,
}

我希望能够使用来自客户端应用程序的常规用户信息(用户名，电子邮件，全名).

I want to be able to use generic user info (usernames, emails, fullnames) from a client application.

推荐答案

您需要从realm-management客户端中为所需用户分配view-users角色.那就是用户的配置:

You need to assign the view-users role from the realm-management client, for the desired user. That would be the configuration for the user:

然后，您可以从${keycloakUri}/admin/realms/${keycloakRealm}/users终结点捕获所有用户.那是从邮局检索到的信息，通过邮递员访问:

Then you can grab all the users from the ${keycloakUri}/admin/realms/${keycloakRealm}/users endpoint. That's the info retrieved from the enpoint, accesed via Postman:

此外，与所提问题无关，我强烈建议您除非绝对需要，否则不要使用grant_type=password.从 keycloak博客:

Also, unrelated to the asked question, I strongly encourage you not to use grant_type=password unless you absolutelly need to. From the keycloak blog:

RESULT=`curl --data "grant_type=password&client_id=curl&username=user&password=password" http://localhost:8180/auth/realms/master/protocol/openid-connect/token`

这有点神秘，幸运的是，这并不是您真正应该获得令牌的方式. Web应用程序应通过重定向到Keycloak登录页面来获取令牌.我们只是这样做，所以我们可以测试服务，因为我们还没有可以调用该服务的应用程序.基本上，我们在这里要做的是调用将授权类型设置为password的Keycloaks OpenID Connect令牌端点，这是资源所有者凭证流，它允许将用户名和密码交换为令牌.

This is a bit cryptic and luckily this is not how you should really be obtaining tokens. Tokens should be obtained by web applications by redirecting to the Keycloak login page. We're only doing this so we can test the service as we don't have an application that can invoke the service yet. Basically what we are doing here is invoking Keycloaks OpenID Connect token endpoint with grant type set to password which is the Resource Owner Credentials flow that allows swapping a username and a password for a token.

另请参见 Oauth2规范.

这篇关于如何在没有管理员帐户的情况下通过REST获取Keycloak用户的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！