I can successfully create user by calling the following path in Postman software:
http://{KEYCLOAK_IP}/auth/admin/realms/{REALM_NAME}/users
The body content that I send is like following:
{
"enabled":true,
"username":"Reza",
"email":"reza#sampleMailServer1.com",
"firstName":"Reza",
"lastName":"Azad",
"credentials": [
{
"type":"password",
"value":"123",
"temporary":false
}
]
}
Now, let’s assume that we have a client, which is named browserApp and this client has a role, which is named borwserAppRoleUser. Also, the realm has a role, which is name realmRoleUser.
In order to include abovementioned roles in the body content of the HTTP request I tried the following structure:
{
"enabled":true,
"username":"Reza",
"email":"reza#sampleMailServer1.com",
"firstName":"Reza",
"lastName":"Azad",
"credentials": [
{
"type":"password",
"value":"123",
"temporary":false
}
],
"role": [
{
"id": "borwserAppRoleUser",
"name": "test",
"description": "${role_create-client}",
"composite": false,
"clientRole": true,
"containerId": "browserApp"
},
{
"id":"realmRoleUser",
"composite":false,
"clientRole":false
}
]
}
Sending the above body content results in 400 bad request response. The errors contains this message:
Unrecognized field "role" (class org.keycloak.representations.idm.UserRepresentation), not marked as ignorable
Also, I am sure that the rest of the role object is not correct.
I searched for examples online, but I could not find any sample regarding the role assignment. Can any body please help me to fix this problem?
REST API not supports realm & client roles by single JSON data.
It only support by Add Realm with JSON import
The simple JSON format is like this but it needs extra data.
This is working example for Import Realm JSON data
{
"id": "test",
"realm": "test",
"users": [
{
"enabled": true,
"username": "Reza",
"email": "reza#sampleMailServer1.com",
"firstName": "Reza",
"lastName": "Azad",
"credentials": [
{
"type": "password",
"value": "123",
"temporary": false
}
],
"realmRoles": [
"user"
],
"clientRoles": {
"borwserAppRoleUser": [
"test"
]
}
}
],
"scopeMappings": [
{
"client": "borwserAppRoleUser",
"roles": [
"test"
]
}
],
"client": {
"borwserAppRoleUser": [
{
"name": "test",
"description": "${role_create-client}"
}
]
},
"roles": {
"realm": [
{
"name": "user",
"description": "Have User privileges"
}
]
}
}
If you want to assign user's realm role and client role, use separate API call.
#1 Assign user's realm role
POST {KEYCLOAK-IP}/auth/admin/realms/{REALM-NAME}/users/{USER-UUID}/role-mappings/realm
In Body of POST
[
{
"id": {REALM ROLE UUID},
"name": {ROLE NAME},
"composite": false,
"clientRole": false,
"containerId": {REALM NAME}
}
]
1.1 Get master token - here
1.2 Get User UUID
1.3 Get Realm role UUID and name
1.4 POST realm role into user
#2 Assign user's client role
POST {KEYCLOAK-IP}/auth/admin/realms/{REALM-NAME}/users/{USER-UUID}/role-mappings/clients/{CLIENT-UUID}
In Body of POST
[
{
"id": {CLIENT ROLE ID},
"name": {ROLE NAME},
"description": "${role_create-client}",
"composite": false,
"clientRole": true,
"containerId": {CLIENT-UUID}
}
]
2.1 Get master token
2.2 Get user UUID - same 1.2
2.2 Get Client UUID
2.3 Get Client role UUID & name
2.4 POST client role into user
Finally confirm both assigned roles by this API
GET {KEYCLOAK-IP}/auth/admin/realms/{REALM-NAME}/users/{USER-UUID}/role-mappings
Related
I have tested successfully idtokenhint demo and I am trying unsucessfully attestation verifiable credentials type , similar to the Woodgrave Employee Onboarding Demo, is this code available in c#?
In my case I need the Authenticator to request the VerifiedCredentialExpert VC first but I don't see how to trigger this on Authenticator, I tried this on issuance_request_config.json file, I also tried adding requestedCredentials to type VerifiedCredentialExpert as you see below to suggest to Authenticator to get this first, but didn't change the error behaviour:
"includeQRCode": false,
"callback": {
//In this sample code we will overwrite the callback and use the HOSTNAME dynamicall
//make sure you use ngrok or something like that when running on a local devbox.
//The MS AAD VC Request service needs to be able to reach the callback URI
"url": "https://YOURPUBLICREACHABLEHOSTNAME/api/issuer/issuanceCallback",
"state": "STATEWILLBESETINCODE",
"headers": {
"api-key": "OPTIONAL API-KEY for ISSUANCE CALLBACK API"
}
},
//The Authority is the DID from your MS AAD Verifiable Credential service, you can copy this from the VC page in azure portal
"authority": "did:ion: THIS IS YOUR DID FROM THE VC PAGE IN AZURE PORTAL WHICH IS SET IN THE SAMPLE BY COPYING THE VALUE FROM APPSETTINGS.JSON ",
"registration": {
"clientName": "Verifiable Test Register Verifiable Credential"
},
//The type needs to be the same as defined in the rules json definitione. The manifest can be copied after the credential has been
//created in the azure portal
"type": "VerifiedTestRegistration",
"manifest": "CREDENTIAL URL IN THIS SAMPLE WILL BE COPIED FROM APPSETTINGS.JSON",
//Recommendation is to protect issuance payload with a PIN code.
//The pincode is set to a random value in code and will be displayed in the UI to the user
"pin": {
"value": "123456",
"length": 4
},
//This is an example payload which will be used in the rules file of the credential.
//The rules files maps information from the ID Token (hint) to the VC
"claims": {
"country_of_registry": "",
"registration_number": "",
},
//You can request multiple verifiable credentials at once that's whty the requestCredentials is an array
"requestedCredentials": [
{
"type": "VerifiedCredentialExpert",
"purpose": "Required presentation of verifiable credentials expert to get Test Registration card.",
//You can trust multiple issuers who might be issuing the same credential type (for example certifications or diplomas)
//You need to specify at least 1 trusted issuer DID, for this sample code we copy the IssuerAuthority from appsettings to the request
//"acceptedIssuers": [ "did:ion: copied from your VC portal in this sample the code copies it from APPSETTINGS.JSON" ]
"acceptedIssuers": [ "theaccepetedidissuer" ]
}
]
}
These are the display and rules:
Display definition
{
"locale": "en-US",
"card": {
"title": "Test Verified Credential",
"issuedBy": "TheIssuer",
"backgroundColor": "#000000",
"textColor": "#ffffff",
"logo": {
"uri": "https://example.com/image.png",
"description": "Test Verified Credential"
},
"description": "Use this card to verify."
},
"consent": {
"title": "Do you want to get your Test Verified Credential?",
"instructions": "Sign in with your Verified Credential Expert Card to get your card."
},
"claims": [
{
"claim": "$.vc.country_of_registry",
"label": "Country of Registry",
"type": "String"
},
{
"claim": "$.vc.registration_number",
"label": "Registration Number",
"type": "String"
}
]
}
Rules definition:
{
"attestations": {
"presentations": [
{
"mapping": [
{
"outputClaim": "firstName",
"required": true,
"inputClaim": "$.vc.credentialSubject.given_name",
"indexed": false
},
{
"outputClaim": "lastName",
"required": true,
"inputClaim": "$.vc.credentialSubject.family_name",
"indexed": false
}
],
"required": true,
"credentialType": "VerifiedCredentialExpert",
"contracts": [
"https://verifiedid.did.msidentity.com/v1.0/tenants/id/verifiableCredentials/contracts/abcd/manifest"
],
"trustedIssuers": [
"did:ion:thedid"
]
}
],
"idTokenHints": [
{
"mapping": [
{
"outputClaim": "countryOfRegistry",
"required": true,
"inputClaim": "$.country_of_registry",
"indexed": false
},
{
"outputClaim": "registrationNumber",
"required": true,
"inputClaim": "$.registration_number",
"indexed": true
}
],
"required": true
}
]
},
"validityInterval": 2592000,
"vc": {
"type": [
"VerifiedTestRegistration"
]
}
}
I am testing on iphone12 pro latest iOS version installed.
Question as posted in this git project but unfortunately got no help.
Thank you for your help, Sergio
I need to know if there is a way to delete a user from databricks using email only using SCIM api? As of now I can see it can only delete user by ID which means I need to first retrive the ID of the user and then use it to delete.
I am using this api from powershell to delete users by email.
https://learn.microsoft.com/en-us/azure/databricks/dev-tools/api/latest/scim/scim-users
If you look into the documentation for Get Users command of SCIM Users REST API, you can see that you can specify the filtering condition for it. For example, to find specific user, you can filter on the userName attribute, like this:
GET /api/2.0/preview/scim/v2/Users?filter=userName+eq+example#databricks.com HTTP/1.1
Host: <databricks-instance>
Accept: application/scim+json
Authorization: Bearer dapi48…a6138b
it will return a list of items in the Resources section, from which you can extract user ID that you can use for delete operation:
{
"totalResults": 1,
"startIndex": 1,
"itemsPerPage": 1,
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:ListResponse"
],
"Resources": [
{
"id": "8679504224234906",
"userName": "example#databricks.com",
"emails": [
{
"type": "work",
"value": "example#databricks.com",
"primary": true
}
],
"entitlements": [
{
"value": "allow-cluster-create"
},
{
"value": "databricks-sql-access"
},
{
"value": "workspace-access"
}
],
"displayName": "User 1",
"name": {
"familyName": "User",
"givenName": "1"
},
"externalId": "12413",
"active": true,
"groups": [
{
"display": "123",
"type": "direct",
"value": "13223",
"$ref": "Groups/13223"
}
]
}
]
}
I'm using App ID and I follow this tuts https://cloud.ibm.com/docs/services/appid?topic=appid-tutorial-roles for my personal project.
I tried to call API {{APPID_MANAGEMENT_SERVER_HOST}}/management/v4/{{APPID_TENANT_ID}}/users with body:
"idp": "cloud_directory",
"idp-identity": "huynhdn#gmail.com",
"profile": {
"attributes": {
"role": "MANAGER"
}
}
}
I get Future User in User Profiles! => OK
Next, I call {{APPID_MANAGEMENT_SERVER_HOST}}/management/v4/{{APPID_TENANT_ID}}/cloud_directory/Users to set password for this user.
"displayName": "Test User",
"password": "abcd1234",
"emails": [
{
"value": "huynhdn#gmail.com",
"primary": true
}
]
}
Finally, I call {{APPID_AUTH_SERVER_HOST}}/oauth/v4/{{APPID_TENANT_ID}}/token to get token with user created above! But when i check in app id, attribute "role" is gone :(
WHY? or Anyone can help me another way to create user has "username", "password", "attribute" with API management!
The doc page you're referencing above states that in order to get future user attribute the user must validate ownership over email. You can either do it through standard means, or manually specifying status:confirmed when creating your CLoud Dir user, e.g.
{
"displayName": "John Smith",
"password": "p4ssw0rd",
"emails": [
{
"value": "john#example.com",
"primary": true
}
],
"status":"CONFIRMED"
}```
I am new to Keycloak. I want create user using Keycloak admin REST API.
I have managed to create a user. But the problem is I also want to assign admin role to the user.
Attached is my JSON body. Can someone tell me what am I doing wrong here?
{
"username": "username",
"email": "user#gmail.com",
"firstName": "name1",
"lastName": "name2",
"realmRoles": [ "admin" ],
"enabled": true,
"credentials": [{
"type": "password",
"value": "default",
"temporary": false
}]
}
Thank you in advance
I am not sure what is going wrong with the create user api with roles.
Observations:
When fired without the roles it works fine, the payload is given below
{
"fullName": "unittestuser",
"emailAddress": null,
"enabled": true,
"password": "39HN=K?E",
"roles": null
}
when same endpoint is invoked with the addition of roles then it fails giving the http error code 400 (bad request)
{
"fullName": "unittestuser",
"emailAddress": null,
"enabled": true,
"password": "39HN=K?E",
"roles": [
{ "name": "unittest" },
{ "name": "UsernamePasswordAuthentication" },
{ "name": "Platform_NamedUser" },
{ "name": "Platform_Anyone" },
{ "name": "Platform_Metadata_MetadataInitializeUser" }
]
}
The roles part works when the default roles shipped with JasperReports Server installation are sent.
{
"fullName": "unittestuser3",
"emailAddress": null,
"externallyDefined": false,
"enabled": true,
"password": "39HN=K?E",
"roles": [
{ "name": "ROLE_USER" },
{ "name": "ROLE_ADMINISTRATOR" }
]
}
I have checked the the new roles which I have created are present on the JR Server before the create user is hit, so I am not sure what is going wrong with the newly created roles. I am using REST api v2 for role creation as well as user creation.
I have also tried creation the user first with empty roles and then adding roles the update call still fails with the same error.
Let me know if anyone has a clue.
Fixed...the new 6.0 on wards requires tenantid to be passed with the name of the role.
So instead of:
{ "name": "unittest" }
I passed: { "name": "unittest", "tenantId": "myorg" }