keycloak-scim/docs/documentation/server_development/topics/admin-rest-api.adoc
rmartinc 942d5d0aa3 Convert chapter planning for securing applications and services to guides
Final removal of the securing_apps documentation
Final checks for links, order and other minor things
Closes #31328

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-08-01 16:45:56 +02:00

100 lines
3.3 KiB
Text

== Admin REST API
{project_name} comes with a fully functional Admin REST API with all features provided by the Admin Console.
To invoke the API you need to obtain an access token with the appropriate permissions. The required permissions are described in the link:{adminguide_link}[{adminguide_name}].
You can obtain a token by enabling authentication for your application using {project_name}; see the Securing Applications and Services Guide. You can also use direct access grant to obtain an access token.
=== Examples of using CURL
==== Authenticating with a username and password
NOTE: The following example assumes that you created the user `admin` with the password `password` in the `master` realm as shown in the link:{gettingstarted_link}[{gettingstarted_name}] tutorial.
.Procedure
. Obtain an access token for the user in the realm `master` with username `admin` and password `password`:
+
[source,bash,subs=+attributes]
----
curl \
-d "client_id=admin-cli" \
-d "username=admin" \
-d "password=password" \
-d "grant_type=password" \
"http://localhost:8080{kc_realms_path}/master/protocol/openid-connect/token"
----
+
NOTE: By default this token expires in 1 minute
+
The result will be a JSON document.
. Invoke the API you need by extracting the value of the `access_token` property.
. Invoke the API by including the value in the `Authorization` header of requests to the API.
+
The following example shows how to get the details of the master realm:
+
[source,bash,subs="attributes+"]
----
curl \
-H "Authorization: bearer eyJhbGciOiJSUz..." \
"http://localhost:8080{kc_admins_path}/realms/master"
----
==== Authenticating with a service account
To authenticate against the Admin REST API using a `client_id` and a `client_secret`, perform this procedure.
.Procedure
. Make sure the client is configured as follows:
* `client_id` is a **confidential** client that belongs to the realm *master*
* `client_id` has `Service Accounts Enabled` option enabled
* `client_id` has a custom "Audience" mapper
** Included Client Audience: `security-admin-console`
. Check that `client_id` has the role 'admin' assigned in the "Service Account Roles" tab.
[source,bash,subs="attributes+"]
----
curl \
-d "client_id=<YOUR_CLIENT_ID>" \
-d "client_secret=<YOUR_CLIENT_SECRET>" \
-d "grant_type=client_credentials" \
"http://localhost:8080{kc_realms_path}/master/protocol/openid-connect/token"
----
ifeval::[{project_community}==true]
=== Example using Java
There's a Java client library for the Admin REST API that makes it easy to use from Java. To use it from your application add a dependency on the
`keycloak-admin-client` library.
The following example shows how to use the Java client library to get the details of the master realm:
[source,java,subs="attributes+"]
----
import org.keycloak.admin.client.Keycloak;
import org.keycloak.representations.idm.RealmRepresentation;
...
Keycloak keycloak = Keycloak.getInstance(
"http://localhost:8080{kc_base_path}",
"master",
"admin",
"password",
"admin-cli");
RealmRepresentation realm = keycloak.realm("master").toRepresentation();
----
Complete Javadoc for the admin client is available at {apidocs_link}[{apidocs_name}].
endif::[]
=== Additional resources
[role="_additional-resources"]
* {adminguide_link}[{adminguide_name}]
* {apidocs_link}[{apidocs_name}]