Keycloak: Way to manage default client roles assigned to a user in a realm

Question

In Keycloak, for every realm there are default roles which are assigned to a new user. This also assigns Client Default Roles. I want to update the built in client account default roles and maintain it as part of config as code.

I did not find any REST API for managing Client Default Roles for a realm. For example using Terraform keycloak_default_roles Resource, I can control the realm global roles, but I did not found a way to control the Client Default Roles. Can someone help here?

Update: What I am trying to achieve is, we want to enable edit username option, but only for admins and users should not be able to change either username or email from their profile.

Does this help: https://registry.terraform.io/providers/mrparkers/keycloak/latest/docs/resources/role#example-usage-client-role? — Marko E, Sep 02 '22 at 12:17
@MarkoE I do not want to modify the roles in the client itself but rather remove some roles from built in clients from defaultRoles which will be assigned to the new user. I did not see any option in this resource to do that — Sirish, Sep 02 '22 at 13:24
@Sirish do you want to remove all the defaultRoles from the client or really just some of them? — dreamcrash, Sep 02 '22 at 17:37
@dreamcrash I want to remove only manage-account default client role for account client using config-as-code — Sirish, Sep 03 '22 at 06:22

score 1 · Accepted Answer · answered Sep 02 '22 at 23:45

This REST API can control default role for new user in realm.

Get default roles list

GET {Keycloak URL}/admin/realms/{realm}/roles-by-id/{default-roles-realmId}/composites

Add custom role into default role

POST {Keycloak URL}/admin/realms/{realm}/roles-by-id/{default-roles-realmId}/composites

Delete custom role from default role

DELETE {Keycloak URL}/admin/realms/{realm}/roles-by-id/{default-roles-realmId}/composites

This demo, I will shows this steps

1 Get master token See this step at first

2 Get role list

http://localhost:8180/auth/admin/realms/test-realm/roles

3 Get default role for test-realm Using 2's default-roles-test-realm ID

http://localhost:8180/auth/admin/realms/test-realm/roles-by-id/f3af5fc6-2829-4330-be45-a9fbc39c4b02/composites

4 Add custom role in test-realm

http://localhost:8180/auth/admin/realms/test-realm/roles

In body

{
    "name": "realm_custom_default_role",
    "description": ""
}

the status should be return 201 Created

5 Add it to default-role for new user

In Body, this get step 2 after step 4

[
    {
        "id": "736b0d92-60b9-40ee-9d1f-dd13bc631975",
        "name": "realm_custom_default_role",
        "description": "",
        "composite": false,
        "clientRole": false,
        "containerId": "fb2137dd-68b0-473a-aab1-b0b5305b429a"
    }
]

6 Get Default role list again to confirm step 5 is added

7 Get new user role to check default role applied new custom role added if add new user

8 Delete the custom role from default role

in body,

[
    {
        "id": "736b0d92-60b9-40ee-9d1f-dd13bc631975",
        "name": "realm_custom_default_role",
        "description": "",
        "composite": false,
        "clientRole": false,
        "containerId": "fb2137dd-68b0-473a-aab1-b0b5305b429a"
    }
]

the return status should be 204 No Content

Can this also be someway in either terraform or pulumi during config deployment — Sirish, Sep 03 '22 at 06:25
I have no experience to use Terraform or Pulumi. I have no idea how to use those calls. — Bench Vue, Sep 03 '22 at 08:11

Keycloak: Way to manage default client roles assigned to a user in a realm

1 Answers1

Linked