The Altair Community is migrating to a new platform to provide a better experience for you. The RapidMiner Community will merge with the Altair Community at the same time. In preparation for the migration, both communities are on read-only mode from July 15th - July 24th, 2024. Technical support via cases will continue to work as is. For any urgent requests from Students/Faculty members, please submit the form linked here.
Options

Can't get JWT Token

cuongdnvcuongdnv Member Posts: 9 Learner I
edited April 2022 in Help
I am refering below document to get JWT Token . However when I call the API /api/rest/tokenservice it doesn't return the token but returns a web interface asking for login . How can I get JWT Token



Response of postman:

Best Answer

  • Options
    cuongdnvcuongdnv Member Posts: 9 Learner I
    Solution Accepted
    @aschaferdiek
    very simple i modified config in .env file and got token via API api/rest/tokenservice with id and password as described in tokenservice document.
    Which is completely unlike the way you are instructing .






Answers

  • Options
    aschaferdiekaschaferdiek Employee, Member Posts: 76 RM Engineering
    edited April 2022
    Hi. In order to query the internal tokenservice endpoint, you need a valid "session". In the native installation method, you can use basic auth as "session" as outlined in the documentation.
    curl -u user:pass "http://localhost:8080/api/rest/tokenservice"

    {
      "idToken": "the-valid-token",
      "expirationDate": "the-exp"
    }

    However, for this to work when you've deployed RapidMiner AI Hub with Keycloak (and docker), you need to 1. enable basic auth for Keycloak, 2. access the route by first having a valid "login session" (cookie name is RM_SERVER_JSESSIONID) or 3. use a valid Keycloak token.

    1. Enable basic auth in Keycloak
    # rm-server-homedir/configuration/keycloak/keycloak.json

    {
    ...
    "enable-basic-auth": true,
    ...
    }
    2. Valid cookie value
    Login via web interface, open the browser's developer tools and use the very same RM_SERVER_JSESSIONID cookie value inside the REST request issued to the /api/rest/tokenservice endpoint.

    3. Valid Keycloak token
    Retrieve a valid Keycloak access token (from Keycloak's token endpoint, e.g. via OpenID Connect) and query the /api/rest/tokenservice endpoint with Authorization: Bearer <Keycloak-Access-Token>.


    Not sure what you like to achieve, e.g. schedule a process via REST, I like to outline that you can easily add a process and trigger via Web Service. The triggered process could make use of the Admin Tools extension. You still need to enable Keycloak's basic auth though if you like to trigger it from "outside".






  • Options
    David_ADavid_A Administrator, Moderator, Employee, RMResearcher, Member Posts: 297 RM Research
    A guide how to use the extension can be found here:

  • Options
    cuongdnvcuongdnv Member Posts: 9 Learner I
    How can i [1. Enable basic auth in Keycloak]
    I get all container , and i guess that , rapidminer/rapidminer-server:9.10.4-gen2 with CONTAINER ID [07a1e28603f6] is rm-server-homedir


    So i access to this container and edit keycloak.json in path [/rapidminer/home/configuration] 



    I changed "enable-basic-auth": true

    and then i get 
    RM_SERVER_JSESSIONID by  [Login via web interface, open the browser's developer tools and use the very same RM_SERVER_JSESSIONID]


    i got 
    RM_SERVER_JSESSIONID (b4uTa9Wc23gkbvZmS2akuPah) and go to post man and set Bearer Token to [Keycloak-b4uTa9Wc23gkbvZmS2akuPah] and send request to /api/rest/tokenservice . But i got response [Access denied]


  • Options
    aschaferdiekaschaferdiek Employee, Member Posts: 76 RM Engineering
    edited April 2022
    Hi. Sorry if my list was confusing, but all 3 are different approaches to solve your problem.

    For basic auth 1. you then need to enable it for Keycloak as you did, then use your Keycloak credentials as Authorization
    type in Postman.

    For cookie value 2. you need to login and provide the value of the cookie inside the Postman header, but not as Bearer Token content.

    For Keycloak token 3. approach, you need to get a valid access token from the Keycloak token endpoint or look into what @David_A posted and use this as Bearer Token value.

    We usually recommend approach 3, although I liked to list all of them for the sake of completeness.
  • Options
    cuongdnvcuongdnv Member Posts: 9 Learner I
    edited April 2022
    Thank you for your reply. I have some points to confirm as follows:

    1. For basic auth 1 , Where can I get Keycloak credentials? Please provide detailed instructions

    2. 
    I got the RM_SERVER_JSESSIONID from the cookie then put it in the RM_SERVER_JSESSIONID field of the header in the request /api/rest/tokenservice but still can't get the token and return "Access denied"



    3. 
    I get the token through the api /auth/realms/master/protocol/openid-connect/token  . However, when calling the API /executions/jobs using the token obtained first step, the result returns an Unauthorized error.



    Thanks you.
  • Options
    aschaferdiekaschaferdiek Employee, Member Posts: 76 RM Engineering
    You need to use the access-token of Keycloak to call the /api/rest/tokenservice and use the returned token for any further requests
Sign In or Register to comment.