How to get Keycloak users via REST without admin account

Question

Is there a way to get a list of users on a Keycloak realm via REST WITHOUT using an admin account? Maybe some sort of assignable role from the admin console? Looking for any ideas.

Right now I'm using admin credentials to grab an access token, then using that token to pull users from the realm/users endpoint.

Getting the token (from node.js app via request):

uri: `${keycloakUri}/realms/master/protocol/openid-connect/token`,
form: {
  grant_type: 'password',
  client_id: 'admin-cli',
  username: adminUsername,
  password: adminPassword,
}

Using the token:

uri: `${keycloakUri}/admin/realms/${keycloakRealm}/users`,
headers: {
  'authorization': `bearer ${passwordGrantToken}`,
}

I want to be able to use generic user info (usernames, emails, fullnames) from a client application.

Answer 1

I was facing the same issue and I resolved it by using below steps:

Step 1: Create a realm goto the setting tab and select the following (match with the below image) and save it:

Client Protocol: openid-connect

Access Type: confidential

Step 2: Provide all the scope/client scope/ as per screenshots:

Step 3: Goto credential and select clientId and Secret

Step 4: Hit the below curl to get the access_token:

curl --location 'http://localhost:18080/auth/realms/test-realm/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCIgO...' \
--header 'Cookie: OPERATE-SESSION=DD9F694EE1D511CAE6E126E5503A8995; TASKLIST-SESSION=A0841A5A17C43122443A3DAC4A88060A' \
--data-urlencode 'client_id=test-realm' \
--data-urlencode 'client_secret=8lu1gy4v0Ajt5WjyjgiTXKzuLijE8lpe' \
--data-urlencode 'grant_type=client_credentials'

Step 5: You will get the access_token in response:

{
    "access_token": "eyJhbGciOiJSUzI1...I9X3Exs5a_jR_gjmHO6yLZBuoiS3G2BU8_i9Bb2DYDCWWz5awbsg",
    "expires_in": 36000,
    "refresh_expires_in": 0,
    "token_type": "Bearer",
    "not-before-policy": 0,
    "scope": "profile email"
}

Step 6: Now get the user data with the above access token by using below curl:

curl --location 'http://localhost:18080/auth/admin/realms/test-realm' \
--header 'Authorization: bearer eyJhbGciOiJSUzI1NiIsInR5cCI...Sa3upI9X3Exs5a_jR_gjmHO6yLZBuoiS3G2BU8_i9Bb2DYDCWWz5awbsg' \
--header 'Cookie: OPERATE-SESSION=DD9F694EE1D511CAE6E126E5503A8995; TASKLIST-SESSION=A0841A5A17C43122443A3DAC4A88060A'

Response:

{
    "id": "test-realm",
    "realm": "test-realm",
    "displayName": "test-realm",
    "displayNameHtml": "test-realm",
    "failureFactor": 30,
    "browserFlow": "browser",
    "registrationFlow": "registration",
    .
    .
}

Answer 2

You need to assign the view-users role from the realm-management client, for the desired user. That would be the configuration for the user:

Then you can grab all the users from the ${keycloakUri}/admin/realms/${keycloakRealm}/users endpoint. That's the info retrieved from the enpoint, accesed via Postman:

Also, unrelated to the asked question, I strongly encourage you not to use grant_type=password unless you absolutelly need to. From the keycloak blog:

RESULT=`curl --data "grant_type=password&client_id=curl&username=user&password=password" http://localhost:8180/auth/realms/master/protocol/openid-connect/token`

This is a bit cryptic and luckily this is not how you should really be obtaining tokens. Tokens should be obtained by web applications by redirecting to the Keycloak login page. We're only doing this so we can test the service as we don't have an application that can invoke the service yet. Basically what we are doing here is invoking Keycloaks OpenID Connect token endpoint with grant type set to password which is the Resource Owner Credentials flow that allows swapping a username and a password for a token.

See also the Oauth2 spec.