When creating a new client in Keycloak service through sending the post request to /{realm}/clients, both clientId and id are optional fields in post body.
If I didn't specify them, keycloak will generate it automatically. Then I found when I request to get client-secret, I need to put the id into url to indicate the client-secret of which client I need to get ?
I try to figure out how can I get the id of client from Keycloak API docs but didn't get the answer.
Anyone has idea?
Update: The /auth path was removed starting with Keycloak 17 Quarkus distribution. So you might need to remove the /auth from following endpoint calls.
I try to figure out how can I get the id of client from Keycloak API docs but didn't get the answer.
To get the id you can call the endpoint /{realm}/clients with the parameter clientID for instance using curl:
curl -k -X GET $KEYCLOAK_HOST/auth/admin/realms/$REALM_NAME/clients?clientId=$CLIENT_ID \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $ACCESS_TOKEN"
The $ACCESS_TOKEN is the access token from a token omitted on behalf of a user with the proper privileges (e.g., admin).
From the response .json you extract id (e.g., jq -r .[0].id). In my personal Git repo you can find a script to extract the client secret.
Assigning the proper user permissions
For those that do not want to get an access token from the master admin user, you can get it from another user but that user needs the permission view-clients from the realm-management client. For that you can:
(OLD Keycloak UI)
Role Mappingsclient roles select realm-managementview-clients and click on Add selected
(New Keycloak UI)
Role MappingsAssign roleSearch by role name type view-clients
It's also worth mentioning that clients have to be assigned to view-clients role.
In my case I set it up in Service Account Roles tab of admin-cli client:
Client Roles > realm-management