Authenticate Master realm Admin Token in other Realm in Custom REST API

Rupali · February 28, 2025, 10:10am

Hello,
I have created a custom REST API to set/reset the pin value of my custom Authenticator.
So here same user and admin user of master realm can set/reset pin. but how to authenticate token of master realm admin user in my REST API
Here is Custom API Code:
@PUT
@Path(“users/{userId}/reset-pin”)
@Produces(MediaType.APPLICATION_JSON)
@Consumes(MediaType.APPLICATION_JSON)
public Response resetPin(@PathParam(“userId”) String userId, Map<String, String> map) {
log.info(“>>in the endpoint: reset - pin”);
authenticateUser();
UserModel user = session.users().getUserById(session.getContext().getRealm(), userId);
if (user == null) {
return Response.status(Response.Status.NOT_FOUND).entity(“User not found”).build();
}

	PinCredentialProvider passwordCredentialProvider = new PinCredentialProvider(session);
	return passwordCredentialProvider.createCredential(realm, user, map.get("value"));
}

public AuthResult authenticateUser(String userId) {
AuthResult authResult = new AppAuthManager.BearerTokenAuthenticator(session).authenticate();
if (authResult != null) {
if (!(userId.equals(authResult.getToken().getSubject()))) {
log.info(“throwing not authorization error”);
throw new NotAuthorizedException(“Not authorized for this resource”);
} else {
isAdminPermission();
}
} else {
log.info(“throwing not authorization error”);
throw new NotAuthorizedException(“Not authorized for this resource”);
}
return authResult;
}

here the authenticateUser() method only authenticate the bearer token of same realm,
but when i am sending master realm admin token and url conatin the other realm name (eg. http://127.0.0.1:8080/realms/demo/custom-pin/users/47e98a8d-4633-46bd-89b6-96b556ba8b97/reset-pin) then it will return the key error.

How to authenticate the admin token of master realm in my custom REST API.

djordje · March 12, 2025, 1:49pm

I have service 2 service communication and I did something like:

protected void checkAuth() {
    if (auth == null)
        throw new NotAuthorizedException("Bearer token is missing");

    if (!isValidSubject(auth.getToken().getSubject()))
        throw new ForbiddenException("Invalid subject in bearer token");
}

protected boolean isValidSubject(String clientUserId) {
    return SUBJECT_PATTERN.matcher(clientUserId).find();
}

So basically for me this works, you will probably have more checks, but you have JWT token from
auth.getToken() decode it and do validation.

Topic		Replies	Views
Dynamic Creation of realms and token validation Getting advice	0	402	October 4, 2022
Get the token of another realm merged with the same identity provider Getting advice authentication	0	467	April 26, 2022
Create/Register new user without master realm account bearer Getting advice admin-console , authentication	1	2068	July 18, 2020
Authenticating between realms Getting advice	1	735	November 21, 2022
Manage user from other realm with APIs Getting advice admin-console , authentication , oidc	0	443	September 16, 2020

Authenticate Master realm Admin Token in other Realm in Custom REST API

Related topics