0

I am trying to get user credentials (to see OPT configuration) from Angular app. I am trying to call one of 2 API urls:

  1. 'https://BASE_URL/auth/realms/REALM_NAME/account/credentials'

or

  1. 'https://BASE_URL/auth/realms/REALM_NAME/users/6408bff2-28c6-45d4-8d93-abac57585c42/configured-user-storage-credential-types'

The second one is listed in REST API documentation.

I am trying with token included.

Both of these gives me cors error.

I tried setting web origin to '*' or '+' in main client, but also in account and account-console clients.

Should Keycloak API be directly accessible from client, or only from server (spirng)?

Update: I'm trying this again, trying to use Keycloak on localhost:8080 (so it's the same domain and the client).

When I do GET from http://localhost:8080/auth/realms/ninegold/ I receive this: enter image description here enter image description here

But when trying to get user info: GET http://localhost:8080/auth/realms/ninegold/users/0e0cf56d-d809-48b0-ac04-bc9dace51be9/

I receive this: enter image description here

This is my account client: enter image description here

Filip Witkowski
  • 795
  • 3
  • 14
  • 24
  • Are you using [keycloak-angular](https://www.npmjs.com/package/keycloak-angular) ? and what is your angular app origin ? for example if you're using http://localhost:4200/, i suggest you in your keycloak client configuration to add http://localhost:4200/ as a web origin, and you can do the same with all your web origins. – OLO Jun 29 '21 at 22:21
  • Using oidc-client-js. For which client should I add client URL as web origin? for account? or account-console? – Filip Witkowski Jun 29 '21 at 23:58
  • I added http://localhost:3000 to account and account-console clients, and same issue. – Filip Witkowski Jun 30 '21 at 00:01

1 Answers1

0

This might be an issue with keycloak itself. Go to the admin console and check following:

  1. Full scope is allowed, go to: Clients -> Your Client -> Scope and allow it if not already
  2. Your user has account roles assigned, go to: Users -> (view all users) -> Your User -> Role Mappings and check if roles manage-account and view-profile are assigned. (Client Roles dropdown, select account)
mat.hudak
  • 2,803
  • 2
  • 24
  • 39
  • These setting helped with access to account console directly (via http). By turning them on and off, user can view or edit information on account site. This still does not help with getting user information through Keycloak API. – Filip Witkowski Jun 30 '21 at 11:19
  • This was the cause of the issue in our case. Other than that I have no idea what else might be causing it – mat.hudak Jun 30 '21 at 12:49