Can't get JWT Token

cuongdnvcuongdnv MemberPosts:9Learner I
edited April 2022 inHelp
I am refering below document to get JWT Token . However when I call the API /api/rest/tokenservice it doesn't return the token but returns a web interface asking for login . How can I get JWT Token



Response of postman:

Best Answer

  • cuongdnvcuongdnv MemberPosts:9Learner I
    Solution Accepted
    @aschaferdiek
    very simple i modified config in .env file and got token via API api/rest/tokenservice with id and password as described in tokenservice document.
    Which is completely unlike the way you are instructing .






Answers

  • aschaferdiekaschaferdiek Employee, MemberPosts:76RM Engineering
    edited April 2022
    Hi. In order to query the internal tokenservice endpoint, you need a valid "session". In the native installation method, you can use basic auth as "session" as outlined in the documentation.
    curl -u user:pass "http://localhost:8080/api/rest/tokenservice"

    {
    "idToken": "the-valid-token",
    "expirationDate": "the-exp"
    }

    However, for this to work when you've deployed RapidMiner AI Hub with Keycloak (and docker), you need to 1. enable basic auth for Keycloak, 2. access the route by first having a valid "login session" (cookie name isRM_SERVER_JSESSIONID) or 3. use a valid Keycloak token.

    1.使在Keycloak基本认证
    # rm-server-homedir/configuration/keycloak/keycloak.json

    {
    ...
    "enable-basic-auth": true,
    ...
    }
    2. Valid cookie value
    Login via web interface, open the browser's developer tools and use the very sameRM_SERVER_JSESSIONIDcookie value inside the REST request issued to the/api/rest/tokenserviceendpoint.

    3. Valid Keycloak token
    Retrieve a valid Keycloak access token (from Keycloak's token endpoint, e.g. via OpenID Connect) and query the/api/rest/tokenserviceendpoint with Authorization: Bearer Access-Token>.


    Not sure what you like to achieve, e.g. schedule a process via REST, I like to outline that you can easily add a process and trigger via Web Service. The triggered process could make use of theAdmin Toolsextension. You still need to enable Keycloak's basic auth though if you like to trigger it from "outside".






    David_A cuongdnv
  • David_ADavid_A Administrator, Moderator, Employee, RMResearcher, MemberPosts:296RM Research
    A guide how to use the extension can be found here:

  • cuongdnvcuongdnv MemberPosts:9Learner I
    How can i [1. Enable basic auth in Keycloak]
    我把所有container , and i guess that , rapidminer/rapidminer-server:9.10.4-gen2 with CONTAINER ID [07a1e28603f6] is rm-server-homedir


    So i access to this container and edit keycloak.json in path [/rapidminer/home/configuration]



    I changed "enable-basic-auth": true

    and then i get RM_SERVER_JSESSIONID by [Login via web interface, open the browser's developer tools and use the very same RM_SERVER_JSESSIONID]


    i got RM_SERVER_JSESSIONID (b4uTa9Wc23gkbvZmS2akuPah) and go to post man and set Bearer Token to [Keycloak-b4uTa9Wc23gkbvZmS2akuPah] and send request to /api/rest/tokenservice . But i got response [Access denied]


  • aschaferdiekaschaferdiek Employee, MemberPosts:76RM Engineering
    edited April 2022
    Hi. Sorry if my list was confusing, but all 3 are different approaches to solve your problem.

    For basic auth 1. you then need to enable it for Keycloak as you did, then use your Keycloak credentials as Authorization
    type in Postman.

    For cookie value 2. you need to login and provide the value of the cookie inside the Postman header, but not as Bearer Token content.

    For Keycloak token 3. approach, you need to get a valid access token from the Keycloak token endpoint or look into what@David_Aposted and use this as Bearer Token value.

    我们通常推荐方法3lthough I liked to list all of them for the sake of completeness.
  • cuongdnvcuongdnv MemberPosts:9Learner I
    edited April 2022
    Thank you for your reply. I have some points to confirm as follows:

    1.For basic auth 1 , Where can I get Keycloak credentials? Please provide detailed instructions

    2. I got the RM_SERVER_JSESSIONID from the cookie then put it in the RM_SERVER_JSESSIONID field of the header in the request /api/rest/tokenservice but still can't get the token and return "Access denied"



    3. I get the token through the api /auth/realms/master/protocol/openid-connect/token . However, when calling the API /executions/jobs using the token obtained first step, the result returns an Unauthorized error.
    Thanks you.
  • aschaferdiekaschaferdiek Employee, MemberPosts:76RM Engineering
    You need to use the access-token of Keycloak to call the /api/rest/tokenservice and use the returned token for any further requests
Sign InorRegisterto comment.