Can't get JWT Token

I am refering below document to get JWT Token . However when I call the API /api/rest/tokenservice it doesn't return the token but returns a web interface asking for login . How can I get JWT Token

Image: https://us.v-cdn.net/6030995/uploads/editor/tx/yrt9h8x0k23b.png

Response of postman:

Image: https://us.v-cdn.net/6030995/uploads/editor/2r/mk6ioedhzwgg.png

Find more posts tagged with

AI Studio

Accepted answers

cuongdnv

@aschaferdiek
very simple i modified config in .env file and got token via API api/rest/tokenservice with id and password as described in tokenservice document.
Which is completely unlike the way you are instructing .

Image: https://us.v-cdn.net/6030995/uploads/editor/gg/8m76alynd7q7.png

All comments

aschaferdiek

Hi. In order to query the internal tokenservice endpoint, you need a valid "session". In the native installation method, you can use basic auth as "session" as outlined in the documentation.

curl -u user:pass "http://localhost:8080/api/rest/tokenservice"

{
"idToken": "the-valid-token",
"expirationDate": "the-exp"
}

However, for this to work when you've deployed RapidMiner AI Hub with Keycloak (and docker), you need to 1. enable basic auth for Keycloak, 2. access the route by first having a valid "login session" (cookie name is RM_SERVER_JSESSIONID) or 3. use a valid Keycloak token.

1. Enable basic auth in Keycloak

# rm-server-homedir/configuration/keycloak/keycloak.json

{
...
"enable-basic-auth": true,
...
}

2. Valid cookie value

Login via web interface, open the browser's developer tools and use the very same RM_SERVER_JSESSIONID cookie value inside the REST request issued to the /api/rest/tokenservice endpoint.

3. Valid Keycloak token

Retrieve a valid Keycloak access token (from Keycloak's token endpoint, e.g. via OpenID Connect) and query the /api/rest/tokenservice endpoint with Authorization: Bearer <Keycloak-Access-Token>.

I guess this also relates to https://stackoverflow.com/questions/71936829/rapidminer-cant-get-jwt-token

Not sure what you like to achieve, e.g. schedule a process via REST, I like to outline that you can easily add a process and trigger via Web Service. The triggered process could make use of the Admin Tools extension. You still need to enable Keycloak's basic auth though if you like to trigger it from "outside".

David_A

A guide how to use the extension can be found here:

https://docs.rapidminer.com/latest/studio/connect/aihub/

cuongdnv

How can i [1. Enable basic auth in Keycloak]

I get all container , and i guess that , rapidminer/rapidminer-server:9.10.4-gen2 with CONTAINER ID [07a1e28603f6] is rm-server-homedir

So i access to this container and edit keycloak.json in path [/rapidminer/home/configuration]

I changed "enable-basic-auth": true

and then i get RM_SERVER_JSESSIONID by [Login via web interface, open the browser's developer tools and use the very same RM_SERVER_JSESSIONID]

i got RM_SERVER_JSESSIONID (b4uTa9Wc23gkbvZmS2akuPah) and go to post man and set Bearer Token to [Keycloak-b4uTa9Wc23gkbvZmS2akuPah] and send request to /api/rest/tokenservice . But i got response [Access denied]

Image: https://us.v-cdn.net/6030995/uploads/editor/oq/gldsj0azawyf.png

aschaferdiek

Hi. Sorry if my list was confusing, but all 3 are different approaches to solve your problem.

For basic auth 1. you then need to enable it for Keycloak as you did, then use your Keycloak credentials as Authorization

type in Postman.

For cookie value 2. you need to login and provide the value of the cookie inside the Postman header, but not as Bearer Token content.

For Keycloak token 3. approach, you need to get a valid access token from the Keycloak token endpoint or look into what @David_A posted and use this as Bearer Token value.

We usually recommend approach 3, although I liked to list all of them for the sake of completeness.

cuongdnv

Thank you for your reply. I have some points to confirm as follows:

1. For basic auth 1 , Where can I get Keycloak credentials? Please provide detailed instructions

2. I got the RM_SERVER_JSESSIONID from the cookie then put it in the RM_SERVER_JSESSIONID field of the header in the request /api/rest/tokenservice but still can't get the token and return "Access denied"

Image: https://us.v-cdn.net/6030995/uploads/editor/ap/em4mxmocidt1.png

3. I get the token through the api /auth/realms/master/protocol/openid-connect/token . However, when calling the API /executions/jobs using the token obtained first step, the result returns an Unauthorized error.

Thanks you.

aschaferdiek

You need to use the access-token of Keycloak to call the /api/rest/tokenservice and use the returned token for any further requests

cuongdnv