Keycloak - Get all Users mapped to roles

10,964

Solution 1

There is an outstanding feature request asking for this function via the API.

In the meantime if your requirement is once-off you could obtain the user names (or email addresses) by interrogating the database joining KEYCLOAK_ROLE to USER_ROLE_MAPPING to USER_ENTITY

Something like:

SELECT username
FROM keycloak_role kr 
   JOIN user_role_mapping rm ON kr.id = rm.role_id
   JOIN user_entity ue ON rm.user_id = ue.id
WHERE kr.name = 'your_role_name';

Solution 2

Based on the documentation it appears to be this API:

GET /{realm}/clients/{id}/roles/{role-name}/users

It is there for a while. In this older version however it was not possible to get more than 100 users this way. It was fixed later and pagination possibility was added.

Solution 3

Here is another interesting query, which would also display other useful fields.

SELECT kr_role.REALM_ID 'Realm', cl.CLIENT_ID 'Realm Client', 
    kr_role.NAME 'Role Name', 
    kr_role.DESCRIPTION 'Role Description', 
    user_ent.USERNAME 'Domain ID', user_ent.EMAIL 'Email'
  FROM keycloak_role kr_role, user_role_mapping role_map, 
    user_entity user_ent, client cl
  WHERE role_map.USER_ID = user_ent.ID
  AND kr_role.ID = role_map.ROLE_ID
  AND kr_role.CLIENT = cl.ID
  AND cl.REALM_ID = '<realm_name>'
  AND cl.CLIENT_ID = '<client_name>'
  ORDER BY 1, 2, 3;

Solution 4

This should be now possible with the updated rest endpoint.

Set<UserRepresentation> usersOfRole = realmResource.roles().get(roleName).getRoleUserMembers();

View more solutions

10,964

Ankur Singhal

Ability to conceptualize, design, document and communicate the architecture, technology and construction guidelines to developers. Good experience in translating business needs into detailed development/engineering specifications.

Updated on June 04, 2022

Comments

Ankur Singhal almost 2 years
I know keycloak has exposed below api,
```
<dependency>
    <groupId>org.keycloak</groupId>
    <artifactId>keycloak-services</artifactId>
    <version>2.0.0.Final</version>
</dependency>
```
With complete documentation here. I cannot find the required api here to fetch all users with specific role mapped to them.

Problem Statement - I need to pick all users from keycloak server who have a specific role. I need to send email to all users with role mapped to them.
Ankur Singhal almost 8 years

excellent stuff, thanks for sharing, plus they have admin module as well for such kind of queries, right..??
Orkun Ozen about 6 years

how can we do this with the java client api?
Sooraj ER about 4 years

This query is showing only the manually assigned user. For me we have a LDAP server from which roles are synced - And this query is not returning the users who have role access (readed from LDAP)
pme over 3 years

Link is broken - use keycloak.org/docs-api/12.0/rest-api/index.html#_roles_resour‌ce
João Matos about 3 years

your link seems to be broken, working link: issues.redhat.com/browse/KEYCLOAK-1902?_sscc=t
David Hladky over 2 years

Thank you for modifying the link. It looks like the old version of the documentation was dropped.