How to create mapper for each user attribute in Keycloak via REST API?

Question

How do I create Protocol Mappers with the following values (as seen in the attached image) via Keycloak's REST API? I couldn't find it in the documentation - I did find this: Protocol Mapper - but the ProtocolMapperRepresentation takes in a Map and a couple of Strings. When I see the UI - I see a lot more fields and I'm not sure if I'm looking at the right API.

Here's the UI:

How do I do it via API?

Answer 1

Update: The /auth path was removed starting with Keycloak 17 Quarkus distribution. So you might need to remove the /auth from the endpoint calls presented on this answer.

---

How do I create Protocol Mappers with the following values (as seen in the attached image) via Keycloak's REST API?

You can do it by calling the following endpoint:

POST ${KEYCLOAK_HOST}/auth/admin/realms/${REALM_NAME}/clients/${ID of the Client}/protocol-mappers/models

with the following data:

{"protocol":"openid-connect","config":{"id.token.claim":"true","access.token.claim":"true","userinfo.token.claim":"true","multivalued":"","aggregate.attrs":"","user.attribute":"some-attribute","claim.name":"some-attribute","jsonType.label":"String"},"name":"some-attribute","protocolMapper":"oidc-usermodel-attribute-mapper"}

I did find this: Protocol Mapper - but the ProtocolMapperRepresentation takes in a Map and a couple of Strings. When I see the UI - I see a lot more fields and I'm not sure if I'm looking at the right API.

That is by design; to make the endpoint abstract enough to accept different types of Protocol Mappers. That Map encodes basically the config part which tend to change from mapper to mapper.

---

Step-by-Step

You can get that information using the Keycloak Admin REST API; to call that API, you need an access token from a user with the proper permissions. For now, I will be using the admin user from the master realm, but later I will explain how you can use another user:

curl “https://${KEYCLOAK_HOST}/auth/realms/master/protocol/openid-connect/token” \
    -d "client_id=admin-cli" \
    -d "username=${ADMIN_NAME}” \
    -d "password=${ADMIN_PASSWORD}" \
    -d "grant_type=password"

You get a JSON response with the admin's token. Extract the value of property access_token from that response. Let us save it in the variable $ACCESS_TOKEN for later reference.

To create the protocol mapper for your realm $REALM_NAME:

curl -X POST “https://${KEYCLOAK_HOST}/auth/admin/realms/${REALM_NAME}/clients/${ID_OF_CLIENT}/protocol-mappers/models” \
     -H "Content-Type: application/json" \
     -H "Authorization: bearer ${ACCESS_TOKEN}” \
     -d "${PROTOCOL_JSON_DATA}"

An example of "${PROTOCOL_JSON_DATA}":

'{"protocol":"openid-connect","protocolMapper":"oidc-hardcoded-claim-mapper","name":"test","config":{"claim.name":"test","claim.value":"test","jsonType.label":"","id.token.claim":"true","access.token.claim":"true","access.tokenResponse.claim":"false","userinfo.token.claim":"true"}}'

For those that need, I have scripts (this one or this one) for the aforementioned steps.

Assigning the proper user permissions

For those that do not want to get an access token from the master admin user, you can get it from another user but that user needs the permission manage-clients from the realm-management client. For that you can:

(OLD Keycloak UI)

• Go to Users, and then the user in question
• Go to the tab Role Mappings
• In client roles select realm-management
• Select the role manage-clients and click on Add selected

(New Keycloak UI)

• Go to Users, and then the user in question
• Go to the tab Role Mappings
• Click on Assign role
• In Search by role name type manage-clients
• Select the role and assign it