Create a client using keycloak admin Java SDK that has authentication and authorization enabled

1

I’m using the keycloak admin Java library to create a client, like so:

ClientRepresentation client = new ClientRepresentation();
client.setClientId(clientId);
client.setName(clientId);
client.setStandardFlowEnabled(true);
client.setAuthorizationServicesEnabled(true);
client.setDirectAccessGrantsEnabled(true);
client.setPublicClient(true);
client.setEnabled(true);
client.setSecret(secret);
client.setServiceAccountsEnabled(true);
client.setAlwaysDisplayInConsole(true);
client.setDefaultClientScopes(List.of(Scopes.OPENID, Scopes.PROFILE, Scopes.EMAIL, Scopes.ROLES));
client.setRedirectUris(List.of(publicUrl + "/*"));
realm.clients().create(client);

I’m trying to turn these two switches on:

Screenshot 2024-03-05 at 20.47.45
Screenshot 2024-03-05 at 20.47.451710×738 45.1 KB

I can’t find appropriate properties to set on the client to make this happen.
How do I do it?

Many thanks for any help offered.

2

To try and work this out I created a client using the UI and examined the data it posted to the API endpoint.

What I was missing was these attributes:

{
    "oauth2.device.authorization.grant.enabled": false,
    "oidc.ciba.grant.enabled": false,
    "login_theme": "",
    "display.on.consent.screen": false,
    "backchannel.logout.url": "",
    "backchannel.logout.session.required": "true",
    "backchannel.logout.revoke.offline.tokens": "false"
}

So I started setting those attributes:

...
        clientRepresentation.setAttributes(Map.of(
                "oauth2.device.authorization.grant.enabled", "false",
                "oidc.ciba.grant.enabled", "false",
                "login_theme", "base",
                "display.on.consent.screen", "false",
                "backchannel.logout.url", "",
                "backchannel.logout.session.required", "true",
                "backchannel.logout.revoke.offline.tokens", "false"
        ));
        clientResource.update(clientRepresentation);

But those two switches still don’t turn on. From what I can tell:

clientRepresentation.setAuthorizationServicesEnabled(true);

should do it, but it clearly doesn’t, which makes me wonder if this is actually a keycloak admin bug?

I’m using keycloak-admin-client:

implementation group: 'org.keycloak', name: 'keycloak-admin-client', version: '24.0.0'

and the keycloak docker image: quay.io/keycloak/keycloak:24.0.0

I’m considering raising a bug report.

3

D’oh! :person_facepalming: Figured it out.

I was setting: clientRepresentation.setPublicClient(true);, but that needs to be false, then it all works as expected.