1

I can add a custom attribute to my user following this link. I want to add a (common) custom attribute to my client roles. Is it possible? I tried to replicate the custom attribute like my user without success. Could you help me?

pasquy73
  • 563
  • 3
  • 13

1 Answers1

1

You can use this API

Set the custom attributes of client's role

PUT [Keycloak URL](/auth)/admin/realms/[realm name]/roles-by-id/[role UUID]

Body

{
    "name": [Role Name],
    "composite": false,
    "clientRole": true,
    "containerId": [client UUID],
    "attributes": {
        "key 1": [
            "value 1"
        ],
        "key 2": [
            "value 2"
        ]
    }
}

enter image description here

Get the custom attributes of client's role

GET [Keycloak URL](/auth)/admin/realms/[realm name]/client/[client UUID]/[role name]

enter image description here

Keycloak UI

enter image description here

Finally, you can get user's mapping client role

GET [KEYCLOAK URL](/auth)/admin/realms/[realm name]/users/[user UUID]/role-mappings/clients/[Client UUID]

enter image description here

enter image description here

How to get Client's Role ID

GET [Keycloak URL](/auth)/admin/realms/[realm name]/clients/[client UUID]/roles

enter image description here

You can confirm by those curl commands

#1 Set {credential, client name, realm name}

MASTER_USERNAME=admin \
MASTER_PASSWORD=admin \
REALM_NAME=my-realm \
CLIENT_NAME=my-client \
CLIENT_ROLE_NAME=client-role \
USER_NAME=user1

echo '$MASTER_USERNAME = '$MASTER_USERNAME \
echo 'MASTER_PASSWORD = '$MASTER_PASSWORD \
echo 'REALM_NAME = '$REALM_NAME \
echo 'CLIENT_NAME= '$CLIENT_NAME

enter image description here

#2 Get Master Token

MASTER_TOKEN_URL=$(curl --silent --location --request GET 'http://localhost:8080/auth/realms/master/.well-known/openid-configuration' | jq -r '.token_endpoint')
echo $MASTER_TOKEN_URL

MASTER_TOKEN=$(curl --silent --location --request POST $MASTER_TOKEN_URL \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=admin-cli' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'username='$MASTER_USERNAME \
--data-urlencode 'password='$MASTER_PASSWORD | jq -r '.access_token')
echo $MASTER_TOKEN

enter image description here

#3 Get client ID

CLIENT_ID=$(curl --silent --location --request GET 'http://localhost:8080/auth/admin/realms/'$REALM_NAME'/clients' \
--header 'Authorization: Bearer '$MASTER_TOKEN | jq -r '. | map(select(.clientId == "my-client")) | .[0].id')
echo 'CLIENT_ID = '$CLIENT_ID

enter image description here

#4 Get client Role ID

ROLE_ID=$(curl --silent --location --request GET 'http://localhost:8080/auth/admin/realms/'$REALM_NAME'/clients/'$CLIENT_ID'/roles' \
--header 'Authorization: Bearer '$MASTER_TOKEN | jq -r '. | map(select(.name == "client-role")) | .[0].id')
echo 'ROLE_ID = '$ROLE_ID

enter image description here

#5 Get Role Attributes

curl --silent --location --request GET 'http://localhost:8080/auth/admin/realms/'$REALM_NAME'/clients/'$CLIENT_ID'/roles/'$CLIENT_ROLE_NAME \
--header 'Authorization: Bearer '$MASTER_TOKEN | jq -r

enter image description here

#6 Get User's ID

USER_ID=$(curl --silent --location --request GET 'http://localhost:8080/auth/admin/realms/'$REALM_NAME'/users' \
--header 'Authorization: Bearer '$MASTER_TOKEN | jq -r '. | map(select(.username == "user1")) | .[0].id')
echo 'USER_ID = '$USER_ID

enter image description here

#7 Get User's role mapping

curl --silent --location --request GET 'http://localhost:8080/auth/admin/realms/'$REALM_NAME'/users/'$USER_ID'/role-mappings/clients/'$CLIENT_ID \
--header 'Authorization: Bearer '$MASTER_TOKEN | jq -r

enter image description here

Bench Vue
  • 5,257
  • 2
  • 10
  • 14
  • I could read the client roles attribute using "Get the custom attributes of client's role" – pasquy73 Jul 12 '23 at 07:13
  • Anyway, I can read the user attribute (.../admin/realms/my-realm/users) after setting the attribute for a user (key-value). – pasquy73 Jul 12 '23 at 07:22
  • I would like to use a unique attribute for client roles and get this attribute when I call the .../admin/realms/my-realm/users API, instead to set it for a single user. – pasquy73 Jul 12 '23 at 07:25
  • For me this attribute is necessary to filter the user: if there is this attribute the user must not be displayed. – pasquy73 Jul 12 '23 at 07:27
  • Basically, I want to add an attribute in the .../admin/realms/my-realm/users API like id, username, email, etc... and to use it for all users who have got specific client roles. – pasquy73 Jul 12 '23 at 07:31
  • 1
    I think you want to [this](https://stackoverflow.com/questions/75530965/how-to-add-programmed-custom-field-to-keycloak-user/75532971#75532971) or [that](https://stackoverflow.com/questions/73105467/keycloak-user-attributes-that-are-specific-to-groups/73106895#73106895), if not , can you explain more detail description with example in your question. – Bench Vue Jul 12 '23 at 10:03
  • Thank you, I'm using the custom attribute! – pasquy73 Jul 17 '23 at 13:37
  • No problem, I just updated, fixed the missing get Master Token by curl. – Bench Vue Jul 17 '23 at 13:42