Keycloak - Add/Remove Realm role from a user using APIcalls

3
votes

passing userRepresentation.id to keycloakServerURL + "/auth/admin/realms/XXXX/users/"+userId+"/role-mappings/realm" I get these roles for a certain user...

[
    {
        "id": "xxxxxxx-1faf-4604-832a-fa7ab7eb4344",
        "name": "uma_authorization",
        "description": "${role_uma_authorization}",
        "composite": false,
        "clientRole": false,
        "containerId": "XXXX"
    },
    {
        "id": "xxxxxxx-ad9f-444e-adf4-be11ab7a3d98",
        "name": "member_paid",
        "description": "Membership Paid",
        "composite": false,
        "clientRole": false,
        "containerId": "XXXX"
    },
    {
        "id": "xxxxx-2d73-48a8-844d-a953cb570270",
        "name": "offline_access",
        "description": "${role_offline-access}",
        "composite": false,
        "clientRole": false,
        "containerId": "XXXX"
    }
]

I cannot figure out which API I am supposed to use to add/remove a role from/to the User.

Please can you advise what is the API I need to use

The best I can find is this one below but I don't know what the params (Path and request property should be)...

public void removeRole(JsonObject userToken, String clientId, String role) throws IOException {

    /auth/admin/realms/XXXX/groups/" + role + "/role-mappings/clients/" + clientId);

    ...
    HttpURLConnection con = (HttpURLConnection) url.openConnection();
    con.setRequestMethod("POST");

    con.setRequestProperty("id", clientId);
    con.setRequestProperty("name", role);
    ....
2
keycloak

2 Answers

6
votes

Endpoints are

Get Role Mappings:

GET /auth/admin/realms/{Realm}/users/{userid}/role-mappings/realm

Add Role Mappings:

POST /auth/admin/realms/{Realm}/users/{userid}/role-mappings/realm

Delete Role Mappings:

DELETE /auth/admin/realms/{Realm}/users/{userid}/role-mappings/realm

Example Add Role

You have a role e.g. named testrole with the id dc5572a5-b7e0-4c4b-b841-dc88108df70f (you see it in the url when you have opened the keycloak admin GUI, or you fetch it with some other RestAPI Request)

Now we have a Request of Type POST to the endpoint /auth/admin/realms/{Realm}/users/{userid}/role-mappings/realm with a body of type application/json and the following body-value

[
    {
        "id": "dc5572a5-b7e0-4c4b-b841-dc88108df70f",
        "name" : "testrole"
    }
]

After successful execution you get a response with HTTP-Code 204 => The testrole - role mapping is applied to this user

Example Curl Request

curl --request POST \
  --url http://localhost/auth/admin/realms/{Realm}/users/{userid}/role-mappings/realm \
  --header 'authorization: Bearer eyJh......h3RLw' \
  --header 'content-type: application/json' \
  --data '[
    {
        "id": "dc5572a5-b7e0-4c4b-b841-dc88108df70f",
        "name" : "testrole"
    }
]'

If you want to delete it again, just send the same request (same body) but with the HTTP-method DELETE instead of POST

Please let me now if this solved your issue

0
votes

Based on the post above by Evil to help me...

Using Java (and JEE 8 for the good JSON capabilities)

Get the token (using a client you set up in keycloak with access type of confidential and access to the right roles (for 9.0.0 this is even more hidden now).

public JsonObject getToken() throws IOException {

    String keycloakServerURL = environmentService.getEnvironmentVariable(EnvironmentService.KEYCLOAK_SERVER);

    String appClientId = environmentService.getEnvironmentVariable(EnvironmentService.APP_CLIENT_ID);
    String appClientSecret = environmentService.getEnvironmentVariable(EnvironmentService.APP_CLIENT_SECRET);

    URL url = new URL(keycloakServerURL + "/auth/realms/XXXXXX/protocol/openid-connect/token");
    HttpURLConnection con = (HttpURLConnection) url.openConnection();
    con.setRequestMethod("POST");

    String userpass = appClientId + ":" + appClientSecret;
    String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userpass.getBytes()));

    con.setRequestProperty("Authorization", basicAuth);
    con.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");

    /* Payload support */
    con.setDoOutput(true);
    DataOutputStream out = new DataOutputStream(con.getOutputStream());
    out.writeBytes("grant_type=client_credentials");

    out.flush();
    out.close();

    int status = con.getResponseCode();
    BufferedReader in = new BufferedReader(new 
    InputStreamReader(con.getInputStream()));

    JsonReader jsonReader = Json.createReader(in);
    JsonObject responesAsJson = jsonReader.readObject();

    in.close();
    con.disconnect();

    // Pretty Print of String
    ObjectMapper objectMapper = new ObjectMapper();
    String jSonstring = objectMapper.writerWithDefaultPrettyPrinter().writeValueAsString(responesAsJson);
    logger.info("Response: " + jSonstring);
    // Pretty Print of String

    logger.info("Response status: " + status);

    //String contentString = responesAsJson.toString();
    //logger.info("Response: " + contentString);

    return responesAsJson;
}

then add a role (similar for remove - see post above)

public void addRole(JsonObject userToken, String userId, RoleRepresentation role) throws IOException {
    String keycloakServerURL = environmentService.getEnvironmentVariable(EnvironmentService.KEYCLOAK_SERVER);


    URL url = new URL(keycloakServerURL + "/auth/admin/realms/XXXXXX/users/" + userId + "/role-mappings/realm");
    HttpURLConnection con = (HttpURLConnection) url.openConnection();
    con.setRequestMethod("POST");

    String accessTokenFromUserToken = userToken.getString("access_token");
    con.setRequestProperty("Authorization", "Bearer " + accessTokenFromUserToken);

    con.setRequestProperty("Content-Type", "application/json");

    /* Payload support */
    con.setDoOutput(true);
    DataOutputStream out = new DataOutputStream(con.getOutputStream());
    JsonObject theBodyPart = Json.createObjectBuilder().
            add("id", role.getId()).
            add("name", role.getName()).
            build();
    JsonArray theBodyPartAsArray = Json.createArrayBuilder().add(theBodyPart).build();
    String theBodyPartAsJson = theBodyPartAsArray.toString();
    out.writeBytes(theBodyPartAsJson);      
    out.flush();
    out.close();

    int status = con.getResponseCode();
    logger.info("Response status: " + status);

    con.disconnect();
}