Login/Register
Keycloak User Roles missing in REST API
Asked Answered
Solved restroleskeycloakuser-roles
G

5

26

I would like to ask, if somebody knows, why there are no roles within the user details in REST ADMIN API request. I saw some posts dealing with this topic, but there were either no clear answer or they propose to use keycloak-admin-client, but that seems not very convenient. Maybe I need to map the roles in Admin console or use claims? Roles are one of the most important user attribute so whats the reason they are not retrieved as other user attributes?Any suggestion? Thanks

GET /auth/admin/realms/{realm}/users 

{
  "id": "efa7e6c0-139f-44d8-baa8-10822ed2a9c1",
  "createdTimestamp": 1516707328588,
  "username": "testuser",
  "enabled": true,
  "totp": false,
  "emailVerified": false,
  "firstName": "Test",
  "lastName": "User",
  "email": "[email protected]",
  "attributes": {"xxx": ["123456"]},
  "disableableCredentialTypes": ["password"],
  "requiredActions": []
}
Geriatric answered 26/1, 2018 at 8:50 Comment(0)
G
39

You are not getting roles in the user details because the REST API is strictly resource based and roles are separate objects that are just associated to a user. The following REST URLs can be used to get a user's roles
Getting the associated realm roles:
GET /auth/admin/realms/{realm}/users/{user-uuid}/role-mappings/realm
Getting the associated role of a specific client:
GET /auth/admin/realms/{realm}/users/{user-uuid}/role-mappings/clients/{client-uuid}

Game answered 28/1, 2018 at 10:41 Comment(3)
I am also having same question, I need roles, groups associated with User. To Get That I Using : keycloak.org/docs-api/3.0/rest-api/index.html#_users_resource URI: GET /admin/realms/{realm}/users/{id} According the documentation provided on above link, it should provide user details including roles, groups also.Affable
Since roles and groups are missing from response, it causes major efficiency problems as there sometimes must be about 20 request to search users by name, roles and groupsThickness
Even I have mapped roles for a user GET /auth/admin/realms/{realm}/users/{user-uuid}/role-mappings/realm returns empty result.Eryn
D
2

I have also tried to get this information in the scope of one call since based on the Keycloak API documentation we can do it. But no results. I have also tried to use different Mappers for the client using which we can add some information to the token data, user info, and so on. But Looks like we can not get that information using the GET /auth/admin/realms/{realm}/users endpoint. it's not working also for the GET /auth/admin/realms/{realm}/users/{userId} endpoint.

In my case, I need to get the users list, with pagination and search option, and I need information about the client roles which are assigned to the user, and groups on which the user is in.

Due to that, I need to make a lot of API calls. I need to get users list, then for each user, I need to get users groups, and client roles by additional API calls, and then combine that information. Also, make an API call to get users to count. BUT, It's not really to have more than 20 API calls to get needed information for 10 users.

So, what I did.

As an alternative way, I have connected my Nest.js application to the Keycloak database directly and did what I need by one SQL query using TypeORM. I have created the models, with relations and did it so easily.

In my case, I have used USER_ENTITY, USER_ROLE_MAPPING, KEYCLOAK_ROLE, USER_GROUP_MEMBERSHIP, KEYCLOAK_GROUP tables.

Its works were good. The only thing is that maybe, in future Keycloak versions, can add some changes in the DB structure... In that case, changes should be investigated and the Keycloak version should be updated after changes in the models.

If you are doing something like my solution, be sure that you are not changing anything in the Keycloak database. Or, if you want to do inserting or removing operations without using Keycloak API, be sure that you have all information about the Keycloak database structure. There are actually about 93 tables.

Disturbance answered 30/7, 2021 at 14:51 Comment(2)
I am facing the same issue here. How did you connect your Nestjs to Keycloak Database?Advantageous
@Advantageous In that case, I did it using the TypeORM using the credentials of the Keycloak database. I have created a module to work with the Keycloak Database and restricted the access to change something in the DB, but exposed an ability to get data.Disturbance
S
1

You can get all the role mappings for the user using the following: GET /{realm}/users/{id}/role-mappings

Subordinary answered 11/10, 2022 at 22:4 Comment(0)
W
0

you can try the following:

// Step 1: Get user information
const userInfoResponse = await axios.get(
  `${baseURL}/auth/realms/${realm}/protocol/openid-connect/userinfo`,
  { headers }
);

// Step 2: Configure headers for the admin API request
const config = {
  headers: {
    Authorization: `Bearer ${tokenResponse.data.access_token}`,
    'Content-Type': 'application/json',
  },
};

// Step 3: Retrieve role mappings for the user
const response = await axios.get(
  `${baseURL}/auth/admin/realms/${realm}/users/${userInfoResponse.data.sub}/role-mappings/realm`,
  config
);

this solved my problem with Keycloak v.15

Woodrow answered 29/5, 2023 at 14:2 Comment(1)
Your answer could be improved with additional supporting information. Please edit to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers in the help center.Emie
I
0

Looking from the Developer Tools ( Ctrl+Shift+i or rather F12 ) I found that you can GET it sending a request to the following endpoint:

{{keycloak_url}}/admin/realms/{{realm}}/ui-ext/effective-roles/users/{{userId}}

passing the necessary parameters, as well as all that is necessary, from the authentication point of view.

Ib answered 23/11, 2023 at 21:45 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.