942d5d0aa3
Final removal of the securing_apps documentation Final checks for links, order and other minor things Closes #31328 Signed-off-by: rmartinc <rmartinc@redhat.com>
100 lines
3.3 KiB
Text
100 lines
3.3 KiB
Text
== Admin REST API
|
|
|
|
{project_name} comes with a fully functional Admin REST API with all features provided by the Admin Console.
|
|
|
|
To invoke the API you need to obtain an access token with the appropriate permissions. The required permissions are described in the link:{adminguide_link}[{adminguide_name}].
|
|
|
|
You can obtain a token by enabling authentication for your application using {project_name}; see the Securing Applications and Services Guide. You can also use direct access grant to obtain an access token.
|
|
|
|
=== Examples of using CURL
|
|
|
|
==== Authenticating with a username and password
|
|
|
|
NOTE: The following example assumes that you created the user `admin` with the password `password` in the `master` realm as shown in the link:{gettingstarted_link}[{gettingstarted_name}] tutorial.
|
|
|
|
.Procedure
|
|
|
|
. Obtain an access token for the user in the realm `master` with username `admin` and password `password`:
|
|
+
|
|
[source,bash,subs=+attributes]
|
|
----
|
|
curl \
|
|
-d "client_id=admin-cli" \
|
|
-d "username=admin" \
|
|
-d "password=password" \
|
|
-d "grant_type=password" \
|
|
"http://localhost:8080{kc_realms_path}/master/protocol/openid-connect/token"
|
|
----
|
|
+
|
|
NOTE: By default this token expires in 1 minute
|
|
+
|
|
The result will be a JSON document.
|
|
|
|
. Invoke the API you need by extracting the value of the `access_token` property.
|
|
|
|
. Invoke the API by including the value in the `Authorization` header of requests to the API.
|
|
+
|
|
The following example shows how to get the details of the master realm:
|
|
+
|
|
[source,bash,subs="attributes+"]
|
|
----
|
|
curl \
|
|
-H "Authorization: bearer eyJhbGciOiJSUz..." \
|
|
"http://localhost:8080{kc_admins_path}/realms/master"
|
|
----
|
|
|
|
==== Authenticating with a service account
|
|
|
|
To authenticate against the Admin REST API using a `client_id` and a `client_secret`, perform this procedure.
|
|
|
|
.Procedure
|
|
|
|
. Make sure the client is configured as follows:
|
|
|
|
* `client_id` is a **confidential** client that belongs to the realm *master*
|
|
* `client_id` has `Service Accounts Enabled` option enabled
|
|
* `client_id` has a custom "Audience" mapper
|
|
** Included Client Audience: `security-admin-console`
|
|
|
|
. Check that `client_id` has the role 'admin' assigned in the "Service Account Roles" tab.
|
|
|
|
[source,bash,subs="attributes+"]
|
|
----
|
|
curl \
|
|
-d "client_id=<YOUR_CLIENT_ID>" \
|
|
-d "client_secret=<YOUR_CLIENT_SECRET>" \
|
|
-d "grant_type=client_credentials" \
|
|
"http://localhost:8080{kc_realms_path}/master/protocol/openid-connect/token"
|
|
----
|
|
|
|
ifeval::[{project_community}==true]
|
|
=== Example using Java
|
|
|
|
There's a Java client library for the Admin REST API that makes it easy to use from Java. To use it from your application add a dependency on the
|
|
`keycloak-admin-client` library.
|
|
|
|
The following example shows how to use the Java client library to get the details of the master realm:
|
|
|
|
[source,java,subs="attributes+"]
|
|
----
|
|
|
|
import org.keycloak.admin.client.Keycloak;
|
|
import org.keycloak.representations.idm.RealmRepresentation;
|
|
...
|
|
|
|
Keycloak keycloak = Keycloak.getInstance(
|
|
"http://localhost:8080{kc_base_path}",
|
|
"master",
|
|
"admin",
|
|
"password",
|
|
"admin-cli");
|
|
RealmRepresentation realm = keycloak.realm("master").toRepresentation();
|
|
----
|
|
|
|
Complete Javadoc for the admin client is available at {apidocs_link}[{apidocs_name}].
|
|
endif::[]
|
|
|
|
=== Additional resources
|
|
[role="_additional-resources"]
|
|
* {adminguide_link}[{adminguide_name}]
|
|
* {apidocs_link}[{apidocs_name}]
|