Login/Register
Keycloak - user attributes that are specific to groups
Asked Answered
Solved keycloakidentity-management
S

2

1

I'm using Keycloak as an identity provider in my app. However, I could not find anywhere how to give a user an attribute whose value would be specific to a group. For example : a role within the group ("user", "admin"...), a “pending invitation” status, etc.

Is this even possible, or should I make an external table in my database, mapping user ids with group ids and adding the other attributes ? This additionnal table would be bothersome in terms of architecture.

Have a great day !

Antoine

Stelly answered 25/7, 2022 at 7:31 Comment(0)
H
1

Keycloak doesn't support assigning attributes/roles with the group scope. It only supports having roles that are "client" specific. As you mentioned yourself, you have to implement a custom provider and persist them in your own storage.

Hamel answered 25/7, 2022 at 8:54 Comment(0)
T
0

You can set user's attribute with role name/id and status.

This API call can do

PUT {Keycloak URL}/auth/admin/realms/{realm-name}/users/{user-id} OR

PUT {Keycloak URL}/admin/realms/{realm-name}/users/{user-id}

it depends on you Keycloak verion.

And Get user's value by this API

GET {Keycloak URL}/auth/admin/realms/{realm-name}/users/?username={user-name} OR

GET {Keycloak URL}/admin/realms/{realm-name}/users/?username={user-name}

This demo by Postman. Set user's attributes enter image description here

Get user's attributes enter image description here

Get token and set token reference this answer part. here

Trigger answered 25/7, 2022 at 9:27 Comment(5)
How the "Pending invitation" attribute that you mentioned is scoped to a specific group?Hamel
No it is not linked with role at all. It is hard-cord part as same as he mentioned example. I agree as you mentioned role and user attribute coupled is not good idea by own custom logic.Trigger
The reason I asked was that the original question is about how to have an attribute that is bound to a specific group, not how to generally add an attribute to a userHamel
It's still kind of a good workaround, since the key of the attribute can be the id of the group.Stelly
Yes, you can put any key and values in user's attribute. It needs to extras custom logic and code.Trigger

© 2022 - 2024 — McMap. All rights reserved.