How to get Keycloak users via REST without admin account

Question

Is there a way to get a list of users on a Keycloak realm via REST WITHOUT using an admin account? Maybe some sort of assignable role from the admin console? Looking for any ideas.

Right now I'm using admin credentials to grab an access token, then using that token to pull users from the realm/users endpoint.

Getting the token (from node.js app via request):

uri: `${keycloakUri}/realms/master/protocol/openid-connect/token`,
form: {
  grant_type: 'password',
  client_id: 'admin-cli',
  username: adminUsername,
  password: adminPassword,
}

Using the token:

uri: `${keycloakUri}/admin/realms/${keycloakRealm}/users`,
headers: {
  'authorization': `bearer ${passwordGrantToken}`,
}

I want to be able to use generic user info (usernames, emails, fullnames) from a client application.

Im trying to get the lastLogin for every User, so far I get lastAccess but only for the Users that are logged in, if I log out and change user I get now lastAccess for that new User, it doesn´t save the 1 before, ANy help? — viruskimera, Aug 22 '19 at 21:45

score 48 · Accepted Answer · edited Oct 07 '21 at 07:34

48

You need to assign the view-users role from the realm-management client, for the desired user. That would be the configuration for the user:

Then you can grab all the users from the ${keycloakUri}/admin/realms/${keycloakRealm}/users endpoint. That's the info retrieved from the enpoint, accesed via Postman:

Also, unrelated to the asked question, I strongly encourage you not to use grant_type=password unless you absolutelly need to. From the keycloak blog:

RESULT=`curl --data "grant_type=password&client_id=curl&username=user&password=password" http://localhost:8180/auth/realms/master/protocol/openid-connect/token`

This is a bit cryptic and luckily this is not how you should really be obtaining tokens. Tokens should be obtained by web applications by redirecting to the Keycloak login page. We're only doing this so we can test the service as we don't have an application that can invoke the service yet. Basically what we are doing here is invoking Keycloaks OpenID Connect token endpoint with grant type set to password which is the Resource Owner Credentials flow that allows swapping a username and a password for a token.

See also the Oauth2 spec.

edited Oct 07 '21 at 07:34

Community

1
1

answered Oct 04 '17 at 06:41

Aritz

30,971
16
136
217

Thank you for your answer. What would you recommend instead of a password grant? The node.js app that will be getting users is a purely dev-only app that needs to read users - it'll be running in a cron-job type setup on a secured server. Right now it's using admin creds stored in a local JSON file to do the reading. I can switch those admin creds in the JSON file for the creds of a user with ONLY the view-users role as you described above. Is there a better way? – Borja Canseco Oct 04 '17 at 13:45
1

If it's a cron accessing the user a would rather go with [client credentials grant](https://auth0.com/docs/api-auth/tutorials/client-credentials). This way you store your client secret in the local JSON and you log in as a CLIENT (I don't know if this is implemented in the adapter, but otherwise it's easy to do it manually, check out my link). Then you have to manage the token exactly the same way it would be for a user (refreshing it). See also https://stackoverflow.com/questions/41756879/keycloak-client-credentials-flow-clarification Happy code ;-) – Aritz Oct 04 '17 at 13:59
Thanks for the explanation. I also need to retrieve role (realms roles) endorsed by users.When reading API documentation [here](http://www.keycloak.org/docs-api/3.4/rest-api/index.html#_users_resource), it appears that the `UserRepresentation` should have some `realmRoles`attributes by no atttributes appear with this solution ... – lbroudoux Feb 20 '18 at 14:01
Hello, I guess you need to retrieve them through the dedicated enpoint for the roles. The docs mark this property as optional, and it doesn't seem to be filled, at least in earlier versions of KC: http://keycloak-user.88327.x6.nabble.com/keycloak-user-Realm-Roles-not-returned-on-search-td1401.html – Aritz Feb 20 '18 at 14:08
@XtremeBiker hi i am very much to keycloak can you please help to to achieve my goal. first i need to pass the user to keycloak REST apt to get the token after getting the token i need to pass this token with my REST api. But, i cannot able to find any API to interact with KeyClock server to get the token. Please help me – Rohitesh Mar 30 '18 at 09:51
@XtremeBiker when i am trying to call ${keycloakUri}/admin/realms/${keycloakRealm}/users its giving me 401 unauthorized . It seems i need to token here also – Rohitesh Mar 30 '18 at 09:53
@XtremeBiker I am new to Keycloak, and I need get user details including groups, roles related to user from Keycloak REST API. I am using following link to get the user details. URI: GET /admin/realms/{realm}/users/{id} Link: https://www.keycloak.org/docs-api/3.0/rest-api/index.html#_users_resource Here I am getting User details but groups, roles are not there in that JSON. Kindly help to resolve this issue. – Dreamer Mar 19 '19 at 07:05
Json returned by API : { "id":"1fdtt566-ghjj78-yuty", "createdTimestamp":13551179880, "username":"asha", "enabled":true, "totp":false, "emailVerified":false, "firstName":"Asha", "lastName":"Das", "email":"asha@gmail.com", "disableableCredentialTypes":[ "password" ], "requiredActions":[ ], "notBefore":15544558, "access":{ "manageGroupMembership":true, "view":true, "mapRoles":true, "impersonate":true, "manage":true } } The things in which I am interested are note there i.e. groups, Roles – Dreamer Mar 19 '19 at 07:21
@XtremeBiker is their a way to set the realm-management role i.e manage-users through rest api? – humbleCoder Jun 04 '19 at 12:14
@humbleCoder sure there is. The admin console is a mere UI client for the KC rest API. – Aritz Jun 04 '19 at 12:17
@XtremeBiker : great could you please anwser this question. I have asked the same their. https://stackoverflow.com/questions/56442029/whats-the-rest-call-to-assign-client-roles-realm-management-to-a-service-acco – humbleCoder Jun 04 '19 at 12:21
Im trying to get the lastLogin for every User, so far I get lastAccess but only for the Users that are logged in, if I log out and change user I get now lastAccess for that new User, it doesn´t save the 1 before, ANy help? – viruskimera Aug 22 '19 at 21:44
How can i get all users along with their groups and roles – Satya Ram Apr 02 '20 at 07:16

How to get Keycloak users via REST without admin account

1 Answers1

Linked