6

How I can set user attribute value using Keycloak Rest API?

enter image description here

dreamcrash
  • 47,137
  • 25
  • 94
  • 117
max_b
  • 151
  • 2
  • 10

1 Answers1

10

Update: The /auth path was removed starting with Keycloak 17 Quarkus distribution. So you might need to remove the /auth from the endpoint calls presented on this answer.

To set a user attribute using the Keycloak Admin REST API; you use the endpoint:

PUT <KEYCLOAK_HOST>/auth/admin/realms/<YOUR_REALM>/users/<USER_ID>

with the payload

{"attributes":{"<ATTRIBUTE_NAME>":["<ATTRIBUTE_VALUE>"]}}

the <USER_ID> you can get it using the endpoint:

GET <YOUR_KEYCLOAK_DOMAIN>/auth/admin/realms/<YOUR_REALM>/users/?username=<THE_USERNAME>

from the JSON response, extract the field id.

Step-by-Step:

You can get that information using the Keycloak Admin REST API; to call that API, you need an access token from a user with the proper permissions. For now, I will be using the admin user from the master realm:

curl https://${KEYCLOAK_HOST}/auth/realms/master/protocol/openid-connect/token \
    -d "client_id=admin-cli" \
    -d "username=$ADMIN_NAME" \
    -d "password=$ADMIN_PASSWORD" \
    -d "grant_type=password"

You will get a JSON response with the admin's token. Extract the value of property access_token from that response. Let us save it in the variable $ACCESS_TOKEN for later reference.

To get the user id from your realm $REALM_NAME:

curl -X GET https://${KEYCLOAK_HOST}/auth/admin/realms/${REALM_NAME}/users/?username=${USERNAME}&exact=true \
     -H "Content-Type: application/json" \
     -H "Authorization: bearer $ACCESS_TOKEN"

From the response extract the user id for example as follows

jq -r .[].id

Or even cleaner is to passed to the

To set the user attribute:

curl -X PUT https://${KEYCLOAK_HOST}/auth/admin/realms/${REALM_NAME}/users/${USER_ID} \
     -H "Content-Type: application/json" \
     -H "Authorization: bearer $ACCESS_TOKEN" \
     -d '{"attributes":{"<ATTRIBUTE_NAME>":["<ATTRIBUTE_VALUE>"]}}'

You can also have a look at setUser script on my GitHub repo.

dreamcrash
  • 47,137
  • 25
  • 94
  • 117
  • Thanks! That is helpful. If, like me you are using a later version of Keycloak (20.0.2) and need to understand how to add the appropriate roles to your properly permissioned admin user, this might help: https://stackoverflow.com/questions/75075983/keycloak-20-0-2-i-am-not-seeing-the-realm-roles-in-user-role-mapping/75079171 – Murrah Jan 11 '23 at 22:07
  • Also this post about creating the KC admin side of things. And note recent KC versions insist your KC client uses `confidential` autentication and a client secret. https://medium.hexadefence.com/keycloak-admin-rest-api-63a294814e1b – Murrah Jan 11 '23 at 22:14
  • Thanks for the links @Murrah, yes whenever possible you should add the additional security layer of having to specify the client secret – dreamcrash Jan 12 '23 at 05:15
  • 1
    Yes, done. I can now update my KC user's attributes from my Quarkus app. Very cool. And just to say the "you" in my comments was for others who might find this - I get you are across all of this! ;-) – Murrah Jan 12 '23 at 06:45