Keycloak - using admin API to add client role to user
You have to pass client UUID to the role-mappings
REST method, not the ID that you specify when creating a client in admin UI. Use GET /admin/realms/{realm}/clients?clientId=realm-management
REST method to find out the client UUID.
UPDATE
In Keycloak 6.0.1 to add a role it is required to pass role name and id.
Example:
POST /auth/admin/realms/{realm}/users/{user}/role-mappings/clients/{client}
[
{
"id": "0830ff39-43ea-48bb-af8f-696bc420c1ce",
"name": "create-client"
}
]
Related videos on Youtube
Orzel94
Updated on October 08, 2022Comments
-
Orzel94 over 1 year
I'm triyng to use keycloak AdminAPI (https://www.keycloak.org/docs-api/3.0/rest-api/index.html#_users_resource) to create user and assign client roles. I'm receiving correct token, and user is created but assigning roles return 404
I'm using Postman to connect with API:
/auth/realms/{realmName}/protocol/openid-connect/token Content-Type application/x-www-form-urlencoded <-with parameters ofc /auth/admin/realms/{realmName}/users Content-Type application/json Authorization Bearer {TOKEN} Body:
{ "username": "name", "enabled": true, "emailVerified": false, "firstName": "first", "lastName": "last", "credentials": [ { "type": "password", "value": "newPas1*", "temporary": false } ] }
Above works for me, but the next one don't
/auth/admin/realms/{realmName}/users/xxxxxx-xxxx-xxxx-xxxx-xxxxxxxx/role-mappings/clients/realm-management Content-Type application/json Authorization Bearer {TOKEN} Body:
{ "roles": [ { "id": "0830ff39-43ea-48bb-af8f-696bc420c1ce", "name": "create-client", "description": "${role_create-client}", "composite": false, "clientRole": true, "containerId": "344e7c81-e7a2-4a43-b013-57d7ed198eee" } ] }
where 'xxxxxx-xxxx-xxxx-xxxx-xxxxxxxx' is userID returned during creation and create-client role exists
I need a way to add client role via Http request. I saw there are some keycloack implementation for java but I'm using .NET CORE so there will be the target implementation but I need to have working request first as you may gues
-
Vadim Ashikhman almost 5 yearsYou can also go to admin console and open network tab of browser debug panel (chrome). There you will get all requests made to API.
-
Orzel94 almost 5 yearsEndpoint take one body parameter 'roles' as RoleRepresentation array (as you mentioned) witch has all parameters optional as docs says so it seems to be ok. On the other hand I've succeded to get more info about role by
GET /admin/realms/{realm}/users/{id}/role-mappings/clients/{client}/available
I've updated JSON above but still i'm getting 500 :( -
Vadim Ashikhman almost 5 years@Orzel94 see my answer I provided an example with correct JSON structure.
-
Orzel94 almost 5 yearsWith your JSON I have 204 No Content :/ Checked userid and clientid in URL and they correct. User is also in correct realm.
-
Vadim Ashikhman almost 5 years200-299 codes indicate successful call. Check user roles, you will see the role you just added.
-
SalahAdDin about 3 yearsIs it possible to call this api using a
bearer only
client?