Get the client secret that is generated by Keycloak when the client or service account was created. The secret can be regenerated any time with an administrative action.
A client secret is needed to make requests using a new client or service account.
A client or service account has been created. See Create a Service Account in Keycloak.
Follow the steps in only one of the sections below:
Log in to the administration console.
See Access the Keycloak User Management UI for more information.
Click on Clients
under the Configure
header of the navigation panel on the left side of the page.
Click on the ID for the target client in the Clients
table.
Switch to the Credentials
tab.
Save the client secret stored in the Secret
field.
NOTE: If the
Secret
field is empty hit theRegenerate Secret
button to get the client secret.
(linux#
) Create a variable for the client secret.
Leave the Keycloak UI and create a variable for the client secret on the system.
Replace 8a91fdf2-f9c5-4c7f-8da8-49cfbb97680a
with the client secret returned for the service account being used.
export CLIENT_SECRET=8a91fdf2-f9c5-4c7f-8da8-49cfbb97680a
(ncn-mw#
) Create the get_master_token
function to get a token as a Keycloak master administrator.
MASTER_USERNAME=$(kubectl get secret -n services keycloak-master-admin-auth -ojsonpath='{.data.user}' | base64 -d)
MASTER_PASSWORD=$(kubectl get secret -n services keycloak-master-admin-auth -ojsonpath='{.data.password}' | base64 -d)
function get_master_token {
curl -ks -d client_id=admin-cli -d username=$MASTER_USERNAME -d password=$MASTER_PASSWORD -d grant_type=password \
https://api-gw-service-nmn.local/keycloak/realms/master/protocol/openid-connect/token | \
python -c "import sys.json; print json.load(sys.stdin)['access_token']"
}
(ncn-mw#
) Get a unique ID for a client from Keycloak.
In the example below, the client ID is my-test-client
, which should be replaced with the client ID for the target client.
The returned 82d009de-1e36-41b6-8c21-4c390a25c188
in the output is the unique ID of the client.
CLIENT_ID=$(curl -s -H "Authorization: Bearer $(get_master_token)" \
https://api-gw-service-nmn.local/keycloak/admin/realms/shasta/clients | \
jq -r '.[] | select(.clientId=="my-test-client").id')
echo "${CLIENT_ID}"
Example output:
82d009de-1e36-41b6-8c21-4c390a25c188
(ncn-mw#
) Retrieve the client secret.
In the example below, the returned client secret is 8a91fdf2-f9c5-4c7f-8da8-49cfbb97680a
.
curl -s -H "Authorization: Bearer $(get_master_token)" https://api-gw-service-nmn.local/keycloak/admin/realms/shasta/clients/$CLIENT_ID/client-secret | jq -r .value
Example output:
8a91fdf2-f9c5-4c7f-8da8-49cfbb97680a
If the command returns an error with KeyError: 'value'
then run the following command to generate a new secret and retrieve it.
curl -s -X POST -H "Authorization: Bearer $(get_master_token)" https://api-gw-service-nmn.local/keycloak/admin/realms/shasta/clients/$CLIENT_ID/client-secret | jq -r .value
(ncn-mw#
) Create a variable for the client secret.
Replace 8a91fdf2-f9c5-4c7f-8da8-49cfbb97680a
with the client secret returned for the service account being used.
export CLIENT_SECRET=8a91fdf2-f9c5-4c7f-8da8-49cfbb97680a