diff --git a/services/src/main/java/org/keycloak/services/clientregistration/ClientRegistrationAuth.java b/services/src/main/java/org/keycloak/services/clientregistration/ClientRegistrationAuth.java index 8434593001..5dc72854a1 100644 --- a/services/src/main/java/org/keycloak/services/clientregistration/ClientRegistrationAuth.java +++ b/services/src/main/java/org/keycloak/services/clientregistration/ClientRegistrationAuth.java @@ -17,7 +17,9 @@ package org.keycloak.services.clientregistration; +import com.sun.xml.bind.v2.runtime.reflect.opt.Const; import org.jboss.resteasy.spi.UnauthorizedException; +import org.keycloak.Config; import org.keycloak.common.util.Time; import org.keycloak.events.Errors; import org.keycloak.events.EventBuilder; @@ -28,6 +30,7 @@ import org.keycloak.util.TokenUtil; import javax.ws.rs.core.HttpHeaders; import javax.ws.rs.core.UriInfo; +import java.util.LinkedList; import java.util.List; import java.util.Map; @@ -39,6 +42,7 @@ public class ClientRegistrationAuth { private KeycloakSession session; private EventBuilder event; + private RealmModel realm; private JsonWebToken jwt; private ClientInitialAccessModel initialAccessModel; @@ -50,7 +54,7 @@ public class ClientRegistrationAuth { } private void init() { - RealmModel realm = session.getContext().getRealm(); + realm = session.getContext().getRealm(); UriInfo uri = session.getContext().getUri(); String authorizationHeader = session.getContext().getRequestHeaders().getRequestHeaders().getFirst(HttpHeaders.AUTHORIZATION); @@ -174,18 +178,25 @@ public class ClientRegistrationAuth { return false; } - Map> realmManagement = resourceAccess.get(Constants.REALM_MANAGEMENT_CLIENT_ID); - if (realmManagement == null) { - return false; + List roles = null; + + Map> map; + if (realm.getName().equals(Config.getAdminRealm())) { + map = resourceAccess.get(realm.getMasterAdminClient().getClientId()); + } else { + map = resourceAccess.get(Constants.REALM_MANAGEMENT_CLIENT_ID); } - List resources = realmManagement.get("roles"); - if (resources == null) { + if (map != null) { + roles = map.get("roles"); + } + + if (roles == null) { return false; } for (String r : role) { - if (resources.contains(r)) { + if (roles.contains(r)) { return true; } } diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/ClientRegistrationTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/ClientRegistrationTest.java index 73e79c5ed1..70bfed0e0a 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/ClientRegistrationTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/ClientRegistrationTest.java @@ -19,8 +19,10 @@ package org.keycloak.testsuite.client; import org.junit.Test; import org.keycloak.client.registration.Auth; +import org.keycloak.client.registration.ClientRegistration; import org.keycloak.client.registration.ClientRegistrationException; import org.keycloak.client.registration.HttpErrorException; +import org.keycloak.models.Constants; import org.keycloak.representations.idm.ClientRepresentation; import javax.ws.rs.NotFoundException; @@ -56,6 +58,23 @@ public class ClientRegistrationTest extends AbstractClientRegistrationTest { registerClient(); } + @Test + public void registerClientInMasterRealm() throws ClientRegistrationException { + ClientRegistration masterReg = ClientRegistration.create().url(suiteContext.getAuthServerInfo().getContextRoot() + "/auth", "master").build(); + + String token = oauthClient.getToken("master", Constants.ADMIN_CLI_CLIENT_ID, null, "admin", "admin").getToken(); + masterReg.auth(Auth.token(token)); + + ClientRepresentation client = new ClientRepresentation(); + client.setClientId(CLIENT_ID); + client.setSecret(CLIENT_SECRET); + + ClientRepresentation createdClient = masterReg.create(client); + assertNotNull(createdClient); + + adminClient.realm("master").clients().get(createdClient.getId()).remove(); + } + @Test public void registerClientAsAdminWithCreateOnly() throws ClientRegistrationException { authCreateClients();