21

I would like to ask, if somebody knows, why there are no roles within the user details in REST ADMIN API request. I saw some posts dealing with this topic, but there were either no clear answer or they propose to use keycloak-admin-client, but that seems not very convenient. Maybe I need to map the roles in Admin console or use claims? Roles are one of the most important user attribute so whats the reason they are not retrieved as other user attributes?Any suggestion? Thanks

GET /auth/admin/realms/{realm}/users 

{
  "id": "efa7e6c0-139f-44d8-baa8-10822ed2a9c1",
  "createdTimestamp": 1516707328588,
  "username": "testuser",
  "enabled": true,
  "totp": false,
  "emailVerified": false,
  "firstName": "Test",
  "lastName": "User",
  "email": "test@xxx.com",
  "attributes": {"xxx": ["123456"]},
  "disableableCredentialTypes": ["password"],
  "requiredActions": []
}
troger19
  • 1,159
  • 2
  • 12
  • 29

4 Answers4

36

You are not getting roles in the user details because the REST API is strictly resource based and roles are separate objects that are just associated to a user. The following REST URLs can be used to get a user's roles
Getting the associated realm roles:
GET /auth/admin/realms/{realm}/users/{user-uuid}/role-mappings/realm
Getting the associated role of a specific client:
GET /auth/admin/realms/{realm}/users/{user-uuid}/role-mappings/clients/{client-uuid}

Boomer
  • 3,360
  • 20
  • 28
  • 5
    I am also having same question, I need roles, groups associated with User. To Get That I Using : https://www.keycloak.org/docs-api/3.0/rest-api/index.html#_users_resource URI: GET /admin/realms/{realm}/users/{id} According the documentation provided on above link, it should provide user details including roles, groups also. – Dreamer Mar 19 '19 at 08:47
  • 6
    Since roles and groups are missing from response, it causes major efficiency problems as there sometimes must be about 20 request to search users by name, roles and groups – michealAtmi Jun 05 '20 at 11:36
  • Even I have mapped roles for a user GET /auth/admin/realms/{realm}/users/{user-uuid}/role-mappings/realm returns empty result. – Süleyman Sümertaş Oct 28 '21 at 18:16
2

I have also tried to get this information in the scope of one call since based on the Keycloak API documentation we can do it. But no results. I have also tried to use different Mappers for the client using which we can add some information to the token data, user info, and so on. But Looks like we can not get that information using the GET /auth/admin/realms/{realm}/users endpoint. it's not working also for the GET /auth/admin/realms/{realm}/users/{userId} endpoint.

In my case, I need to get the users list, with pagination and search option, and I need information about the client roles which are assigned to the user, and groups on which the user is in.

Due to that, I need to make a lot of API calls. I need to get users list, then for each user, I need to get users groups, and client roles by additional API calls, and then combine that information. Also, make an API call to get users to count. BUT, It's not really to have more than 20 API calls to get needed information for 10 users.

So, what I did.

As an alternative way, I have connected my Nest.js application to the Keycloak database directly and did what I need by one SQL query using TypeORM. I have created the models, with relations and did it so easily.

In my case, I have used USER_ENTITY, USER_ROLE_MAPPING, KEYCLOAK_ROLE, USER_GROUP_MEMBERSHIP, KEYCLOAK_GROUP tables.

Its works were good. The only thing is that maybe, in future Keycloak versions, can add some changes in the DB structure... In that case, changes should be investigated and the Keycloak version should be updated after changes in the models.

If you are doing something like my solution, be sure that you are not changing anything in the Keycloak database. Or, if you want to do inserting or removing operations without using Keycloak API, be sure that you have all information about the Keycloak database structure. There are actually about 93 tables.

Dharman
  • 30,962
  • 25
  • 85
  • 135
CyberEternal
  • 2,259
  • 2
  • 12
  • 31
  • I am facing the same issue here. How did you connect your Nestjs to Keycloak Database? – Paul Sep 06 '22 at 13:57
  • 1
    @Paul In that case, I did it using the TypeORM using the credentials of the Keycloak database. I have created a module to work with the Keycloak Database and restricted the access to change something in the DB, but exposed an ability to get data. – CyberEternal Sep 06 '22 at 23:36
1

You can get all the role mappings for the user using the following: GET /{realm}/users/{id}/role-mappings

Gerhard Powell
  • 5,965
  • 5
  • 48
  • 59
0

you can try the following:

// Step 1: Get user information
const userInfoResponse = await axios.get(
  `${baseURL}/auth/realms/${realm}/protocol/openid-connect/userinfo`,
  { headers }
);

// Step 2: Configure headers for the admin API request
const config = {
  headers: {
    Authorization: `Bearer ${tokenResponse.data.access_token}`,
    'Content-Type': 'application/json',
  },
};

// Step 3: Retrieve role mappings for the user
const response = await axios.get(
  `${baseURL}/auth/admin/realms/${realm}/users/${userInfoResponse.data.sub}/role-mappings/realm`,
  config
);

this solved my problem with Keycloak v.15

iago abner
  • 1
  • 1
  • Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community May 30 '23 at 05:04