secure api calls with service account bearer token

flintstones-userprovider/src/main/java/dasniko/keycloak/user/flintstones/FlintstonesApiClient.java

@@ -3,6 +3,7 @@
 import com.fasterxml.jackson.core.type.TypeReference;
 import dasniko.keycloak.user.flintstones.repo.Credential;
 import dasniko.keycloak.user.flintstones.repo.FlintstoneUser;
+import de.keycloak.util.TokenUtils;
 import lombok.SneakyThrows;
 import lombok.extern.slf4j.Slf4j;
 import org.keycloak.broker.provider.util.SimpleHttp;
@@ -16,10 +17,13 @@ public class FlintstonesApiClient {
 
 	private final KeycloakSession session;
 	private final String baseUrl;
+	private final String token;
 
 	public FlintstonesApiClient(KeycloakSession session, ComponentModel model) {
 		this.session = session;
 		this.baseUrl = model.get(FlintstonesUserStorageProviderFactory.USER_API_BASE_URL);
+		String clientId = model.get(FlintstonesUserStorageProviderFactory.CLIENT_ID);
+		this.token = clientId != null ? TokenUtils.generateServiceAccountAccessToken(session, clientId, null, null) : "";
 	}
 
 	@SneakyThrows
@@ -48,7 +52,7 @@ public Integer usersCount() {
 	@SneakyThrows
 	public boolean createUser(FlintstoneUser user) {
 		String url = String.format("%s/users", baseUrl);
-		return SimpleHttp.doPost(url, session).json(user).asStatus() == 201;
+		return SimpleHttp.doPost(url, session).auth(token).json(user).asStatus() == 201;
 	}
 
 	@SneakyThrows
@@ -82,25 +86,25 @@ private FlintstoneUser getUserByUsernameOrEmail(String field, String value) {
 	@SneakyThrows
 	public boolean updateUser(FlintstoneUser user) {
 		String url = String.format("%s/users/%s", baseUrl, user.getId());
-		return SimpleHttp.doPut(url, session).json(user).asStatus() == 204;
+		return SimpleHttp.doPut(url, session).auth(token).json(user).asStatus() == 204;
 	}
 
 	@SneakyThrows
 	public boolean deleteUser(String userId) {
 		String url = String.format("%s/users/%s", baseUrl, userId);
-		return SimpleHttp.doDelete(url, session).asStatus() == 204;
+		return SimpleHttp.doDelete(url, session).auth(token).asStatus() == 204;
 	}
 
 	@SneakyThrows
 	public boolean verifyCredentials(String userId, Credential credential) {
 		String url = String.format("%s/users/%s/credentials/verify", baseUrl, userId);
-		return SimpleHttp.doPost(url, session).json(credential).asStatus() == 204;
+		return SimpleHttp.doPost(url, session).auth(token).json(credential).asStatus() == 204;
 	}
 
 	@SneakyThrows
 	public boolean updateCredentials(String userId, Credential credential) {
 		String url = String.format("%s/users/%s/credentials", baseUrl, userId);
-		return SimpleHttp.doPut(url, session).json(credential).asStatus() == 204;
+		return SimpleHttp.doPut(url, session).auth(token).json(credential).asStatus() == 204;
 	}
 
 	@SneakyThrows
@@ -120,6 +124,6 @@ public List<FlintstoneUser> searchGroupMembers(String name, int first, int max)
 	}
 
 	private SimpleHttp prepareGetRequest(String url) {
-		return SimpleHttp.doGet(url, session).acceptJson();
+		return SimpleHttp.doGet(url, session).auth(token).acceptJson();
 	}
 }

flintstones-userprovider/src/main/java/dasniko/keycloak/user/flintstones/FlintstonesUserStorageProviderFactory.java

@@ -26,6 +26,7 @@ public class FlintstonesUserStorageProviderFactory implements UserStorageProvide
 	public static final String PROVIDER_ID = "the-flintstones";
 
 	static final String USER_API_BASE_URL = "apiBaseUrl";
+	static final String CLIENT_ID = "clientId";
 	static final String USER_CREATION_ENABLED = "userCreation";
 	static final String USE_PASSWORD_POLICY = "usePasswordPolicy";
 
@@ -51,6 +52,7 @@ public void postInit(KeycloakSessionFactory factory) {
 	public List<ProviderConfigProperty> getConfigProperties() {
 		return ProviderConfigurationBuilder.create()
 			.property(USER_API_BASE_URL, "API Base URL", "", ProviderConfigProperty.STRING_TYPE, "http://localhost:8000", null)
+			.property(CLIENT_ID, "API Auth client_id", "As which client the API-client should authenticate itself.", ProviderConfigProperty.CLIENT_LIST_TYPE, "", null)
 			.property(USER_CREATION_ENABLED, "syncRegistrations", "syncRegistrationsHelp", ProviderConfigProperty.BOOLEAN_TYPE, "false", null)
 			.property(USE_PASSWORD_POLICY, "validatePasswordPolicy", "validatePasswordPolicyHelp", ProviderConfigProperty.BOOLEAN_TYPE, "false", null)
 			.build();