I want to change the associated client roles in my admin-sso role. I can change the associated realm roles but not the client roles.
Let's say I have a client role realm-management and I would like to add the role manage-identity-provider to the associated roles - how can I do it via. API?
I read the Keycloak 11.0 API docs but don't find the right path.
I added a screenshot on how I can do it via admin UI
Update: The /auth path was removed starting with Keycloak 17 Quarkus distribution. So you might need to remove the /auth from the endpoint calls presented on this answer.
From a high-level point of view you need to:
ID of the realm-management client; Endpoint GET /{realm}/clientsID of the admin-sso; Endpoint GET/realm/roles/{role-name}manage-identity-providers; Endpoint GET /{realm}/clients/{id}/roles/{role-name}manage-identity-providers to admin-sso; Endpoint POST /{realm}/roles-by-id/{role-id}/compositesIn case others are interested, I have uploaded a bash script on my GitHub repo that (among others) takes a realm role and a client role and assigns the client role to the realm role. So basically it automatizes the steps that I am about to describe.
Step-by-Step
I read the Keycloak 11.0 API docs but don't find the right path.
You need to call several endpoints from the Keycloak Admin REST API; to call that API, you need an access token from a user with the proper permissions. In this answer, I will be using the admin user from the master realm.
curl “https://${KEYCLOAK_HOST}/auth/realms/master/protocol/openid-connect/token” \
-d "client_id=admin-cli" \
-d "username=${ADMIN_NAME}” \
-d "password=${ADMIN_PASSWORD}" \
-d "grant_type=password"
You get a JSON response with the admin's token. Extract the value of property access_token from that response. Let us save it in the variable named $ACCESS_TOKEN for later use.
Now you need to get the ID of the client realm-management
curl -X GET https://$KEYCLOAK_IP/auth/admin/realms/$REALM_NAME/clients?clientId=realm-management \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $ACCESS_TOKEN"
From the response extract the ID of the client, e.g., jq -r .[].id. Let us say that you saved on a variable named $ID_OF_CLIENT.
Next you need to get the information about the role 'admin-sso':
curl -X GET https://$KEYCLOAK_IP/auth/admin/realms/$REALM_NAME/roles/admin-sso \
-H "Content-Type: application/json" \
-H "Authorization: bearer $ACCESS_TOKEN"
From the response extract the role id, e.g., jq -r .id. Let us say that you save that content in the a variable named REALM_ROLE_ID.
Next you need to get the information about the manage-identity-providers role as follows:
curl -X GET https://$KEYCLOAK_IP/auth/admin/realms/$REALM_NAME/clients/$ID_OF_CLIENT/roles/manage-identity-providers \
-H "Content-Type: application/json" \
-H "Authorization: bearer $ACCESS_TOKEN"
You will get a json response that you need to use in the next API call. For now, let us assume that you save that content in a variable named $ROLE_JSON.
Finally, you can now assign the manage-identity-providers role to the admin-sso role.
curl -X POST https://$KEYCLOAK_IP/auth/admin/realms/$REALM_NAME/roles-by-id/$REALM_ROLE_ID/composites \
-H "Content-Type: application/json" \
-H "Authorization: bearer $ACCESS_TOKEN" \
-d "[$ROLE_JSON]"
