How to add Keycloak client-role to group via REST API

Question

Similar to this Question I am trying to add a Role to a Group (Group Role Mapping). Except that in my case I need to add a client role instead of a realm role.

I tried to adapt the Answer in the mentioned question to my needs but sadly without success.

{SERVER}:81/auth/admin/realms/master/groups/{GROUP_ID}/role-mappings/

Gives me an "RESTEASY003650: No resource method found for POST, return 405 with Allow header"-error

I also tried adding the client in the path

{SERVER}:81/auth/admin/realms/master/groups/{GROUP_ID}/role-mappings/clients/{ID_OF_CLIENT[not Client-ID]}/

But doing this gives me an "unknown error"

Answer 1

You can add with:

String userRole = "Customer";
        
        String clientUuid = keycloak.realm(this.realm).clients().findByClientId(this.clientId).get(0).getId();

        List<RoleRepresentation> roleToAdd = new LinkedList<>();
        roleToAdd.add(keycloak.realm(this.realm).clients().get(clientUuid).roles().get(userRole).toRepresentation());
        userResource.roles().clientLevel(clientUuid).add(roleToAdd);

Answer 2

So it turns out that the

{SERVER}:81/auth/admin/realms/master/groups/{GROUP_ID}/role-mappings/clients/{ID_OF_CLIENT[not Client-ID]}/

path was actually correct.

The "unknown error" was because in the used request a single role object was sent instead of an array. Putting the request in [] solves the issue.

With this body it works:

[{
    "id":"{ROLE_ID}",
    "name":"IamATEstRolE"
}]