When Creating a new user set realmRoles - Keycloak Admin REST API

Question

I'm having a problem when assigning already existing realm roles when creating a user. Following the documentation when creating a new user POST /{realm}/users, in the body parameter using the UserRepresentation, we have field called realmRoles which is optional. I already tried to assign in the follow Schemas:

[
    {
        "id": "123asd-3223r-wer23rwer-werwer",
        "name": "name-of-role-1"
    },
    {
        "id": "23wedf-wefwcs-dfsdf-sdf",
        "name": "name-of-role-2"
    }
]

[
    {
        "id": "123asd-3223r-wer23rwer-werwer",
    },
    {
        "id": "23wedf-wefwcs-dfsdf-sdf",
    }
]

[ "123asd-3223r-wer23rwer-werwer","23wedf-wefwcs-dfsdf-sdf"]

[ "name-of-role-1","name-of-role-2"]

No of the above work. Either they are ignore, or I get an unknown error.

Bench Vue · Accepted Answer · 2022-09-15T01:32:42.660

6

You needs to use user's role mapping API instead of user API

POST {keycloak URL}/admin/realms/{my_realm}/users/{user-id}/role-mappings/realm

body of POST

[
  {
    "id": {realm_role_id},
    "name": {realm_role_name},
    "composite": false,
    "clientRole": false,
    "containerId": {my_realm_id}
  }
]

Detail information is official Admin API at Add realm-level role mappings to the user section.

Demo by Postman

1 Get master access token, assign `token` environment `variable`

here is more detail how to get master token

2 Get Users list by `#1 token`

3 Get user with `#2 {user id}`

4 Get Realm ID with `#1 token`

5 Get realm's `roles list`

6 Set user's realm role mapping with `#5's realm role`

In the body, use array format - it means can assign with multiple realm roles

POST URL

http://localhost:8180/auth/admin/realms/test/users/f3d78ca2-7bab-4aed-b1a4-8b98bf1be000/role-mappings/realm

containerId is #4's {realm_id}

id is #5 {role_id}

[
  {
    "id": "b73643c4-5375-4f9d-b6d5-65dc7c719c68",
    "name": "name-of-role-2",
    "composite": false,
    "clientRole": false,
    "containerId": "a6d347b4-3fe8-4410-bda6-54dbf8e50903"
  }
]

Return status should be 204 No Content.

If not, something thing wrong.

Finally, you can confirm that realm role assigned result.

If you want to confirm by API

GET API

http://localhost:8180/auth/admin/realms/test/users/f3d78ca2-7bab-4aed-b1a4-8b98bf1be000/role-mappings/realm

edited Sep 15 '22 at 01:32

answered Sep 15 '22 at 01:14

Bench Vue

5,257
2
10
14

Thanks for your response, but you cannot add the ``realmRoles`` when creating a user? Only after creating the user correct ? – rocket_moon Sep 15 '22 at 16:41
Yes, it have to add(create) user then can do add realmRoles. this is only way can do it. No way to both together. The reason, after add realmRoles, if get GET user API call, it do not include realmRoles information. It have to get /role-mappings/realm API call separately. – Bench Vue Sep 15 '22 at 18:40
That is a bummer, the documentation is incorrect then. Also I was trying to get a list of users with their roles in one api call but seems there is not a way of doing it. Getting that information will take alot of time for multiple users. For each user I have to call another route n+1 problem. – rocket_moon Sep 16 '22 at 19:32
This method save little time. #1 add user with user-name(ex : tom-kim), #2 get user id by GET /{realm}/users/?username="tom-kim". it gives {user_id}, #3 add realmRoles with #2's {user_id} OR, get all users an makes dictionary , Key is username, value is user_id. It will save a time too. – Bench Vue Sep 16 '22 at 20:45
[This method](https://stackoverflow.com/questions/62404844/map-json-data-from-array-with-several-properties) can map(or filter) username and user-id only. – Bench Vue Sep 16 '22 at 21:26
The problem/question above is different. I was asking if it is possible to get multiple users based on a condition with their respective roles in one call. Instead of ``GET /{realm}/users`` and then for each user ``GET /{realm}/users/{id}/role-mappings`` . Doing something like ``GET /{realm}/users/?withRoleMappings`` – rocket_moon Sep 17 '22 at 09:09
No, `GET /{realm}/users/?someName=value` only available, `GET /{realm}/users` returns JSON only keys. Examples : username, firstName, lastName or email. The `role-mappings` is not available. – Bench Vue Sep 17 '22 at 09:34

When Creating a new user set realmRoles - Keycloak Admin REST API

1 Answers1

1 Get master access token, assign `token` environment `variable`

2 Get Users list by `#1 token`

3 Get user with `#2 {user id}`

4 Get Realm ID with `#1 token`

5 Get realm's `roles list`

6 Set user's realm role mapping with `#5's realm role`

Finally, you can confirm that realm role assigned result.

If you want to confirm by API

Linked

When Creating a new user set realmRoles - Keycloak Admin REST API

1 Answers1

1 Get master access token, assign token environment variable

2 Get Users list by #1 token

3 Get user with #2 {user id}

4 Get Realm ID with #1 token

5 Get realm's roles list

6 Set user's realm role mapping with #5's realm role

Finally, you can confirm that realm role assigned result.

If you want to confirm by API

Linked

1 Get master access token, assign `token` environment `variable`

2 Get Users list by `#1 token`

3 Get user with `#2 {user id}`

4 Get Realm ID with `#1 token`

5 Get realm's `roles list`

6 Set user's realm role mapping with `#5's realm role`