CODEWITHSUNDEEP
javaspring-bootoauthkeycloakopenid-connect
FishingIsLife
FishingIsLife

Reputation: 2372

Keycloak: Can not read users realm roles as admin cli when calling the admin rest api

I use keycloak 11 as openid connect provider for my spring boot services. Everything works fine so far.

Problem:

I have a service that uses a webclient. It is nested in my service and uses client auth with the admin-cli client. That works. When I do a get on /users/userId, I get the user representation. The problem I have now is that the Realm Roles of the user are not added to the representation.

In the docs this parameter is mentioned as String [] and marked as optional in the UserRepresentation.

I thought that if I configure the Service account roles -> Client Roles -> realm-management -> realmAdmin , the client should be able to view the whole user output.

But if I use postman and call the api as ali-admin, it is not included in the JSON reponse.

I also tried to add the attribute in my KeycloakUserRepresentationModel

public class KeycloakUserRepresentation {

    private String id;
    private String username;
    private String firstName;
    private String lastName;
    private String email;
    private Boolean emailVerified;
    private Boolean enabled;
    private Map<String, List<String>> attributes;
    private String[] realmRoles;

and execute the request. The array realmRoles is always null.

Can you tell me what do I have to configure to read the users realmRoles as admin-cli?

Upvotes: 3

Views: 4857

Answers (2)

dreamcrash
dreamcrash

Reputation: 51513

Update: The /auth path was removed starting with Keycloak 17 Quarkus distribution. So you might need to remove the /auth from the endpoint calls presented on this answer.

First, request a token from the admin-cli client on behalf of the admin user (or a user with a-like privileges):

curl    -d "client_id=admin-cli" \
        -d "username=$ADMIN_NAME" \
        -d "password=$ADMIN_PASSWORD" \
        -d "grant_type=password" \
        https://$KEYCLOAK_IP/auth/realms/master/protocol/openid-connect/token

then to get the list of users associate with a given realm role use the previous token on the call to the following endpoint:

GET <KEYCLOAK_HOST>/auth/admin/realms/<YOUR_REALM>/roles/<ROLE_NAME>/users

From the JSON response you can check if your user belongs to that list.

Alternatively, you can call the Rest Admin API to

  1. get the user, and then extract its ID;
  2. get the roles associated with that user by using its ID in the call to the endpoint: GET <KEYCLOAK_HOST>/auth/admin/realms/<YOUR_REALM>/users/<USER_ID>/role-mappings

Upvotes: 3

FishingIsLife
FishingIsLife

Reputation: 2372

I found out that there are two ways of doing it.

First: the url dreamcrash mentioned:

GET <KEYCLOAK_HOST>/auth/admin/realms/<YOUR_REALM>/roles/<ROLE_NAME>/users

Here you get all users with the requested role.

Second:

GET <KEYCLOAK_HOST>/auth/admin/realms/<YOUR_REALM>/users/<USER_ID>/role-mappings

Here you get realm and client mappings for the specific user.

I think solution 2 is the better approach because you only load the information for a specific user. Solution 1 loads all users and their whole account information. This can lead to a performance lack.

What I don't understand is that the general /users/id endpoint does not return most of the optional parameters in the UserRepresentation response object. I think that is so annoying to always find a route somewhere in the docs. I know it is an open source project but I think this should be fixed or at least explained how to configure keycloak to get the information.

Upvotes: 0

Related Questions