I need to inspect a possibility to create role in a keycloak admin GUI with predefined attributes. Can this attributes been saved and appear in every new role?
I've searched many resources and repos but could not find the answer.
I use keycloak 18.0.2 working on quarkus.
You can add(or update) list of attributes for role
Get the master realm token
see the Create a oauth-token for integration tests
Get the my-realm roles list - copy the name you want to add attributes
Update attribute
Check it attributes added
Related
When I create a User in my realm, and click the Role Mappings tab, according to every SO post I see there should be a way to select the realm roles to apply. But in my case I am not seeing them.
This is what I see:
I am trying to add the manage_users role, so I can use this User to manage users via the API. But almost all the realm roles are missing from the Role Mapping tab.
Can anyone enlighten me about what else I need to do so the realm roles appear, especially the realm_management ones?
In the Role Mappings tab
You need to click on the Assign role button
which will popup the following menu:
and from there you can find the client and realm roles.
I am trying to add the manage_users role, so I can use this User to
manage users via the API.
If the previous menu you would change Filter by realm roles to Filter by clients, and the following menu would show up:
and in the Search by role name field type realm-management:
select manage_users and then click Assign. You should see that role being assigned to your user
I'm using Keycloak as an identity provider in my app. However, I could not find anywhere how to give a user an attribute whose value would be specific to a group. For example : a role within the group ("user", "admin"...), a “pending invitation” status, etc.
Is this even possible, or should I make an external table in my database, mapping user ids with group ids and adding the other attributes ? This additionnal table would be bothersome in terms of architecture.
Have a great day !
Antoine
Keycloak doesn't support assigning attributes/roles with the group scope. It only supports having roles that are "client" specific. As you mentioned yourself, you have to implement a custom provider and persist them in your own storage.
You can set user's attribute with role name/id and status.
This API call can do
PUT {Keycloak URL}/auth/admin/realms/{realm-name}/users/{user-id} OR
PUT {Keycloak URL}/admin/realms/{realm-name}/users/{user-id}
it depends on you Keycloak verion.
And Get user's value by this API
GET {Keycloak URL}/auth/admin/realms/{realm-name}/users/?username={user-name} OR
GET {Keycloak URL}/admin/realms/{realm-name}/users/?username={user-name}
This demo by Postman.
Set user's attributes
Get user's attributes
Get token and set token reference this answer part.
here
Is there a way to include the list of groups a user is a member of inside a Keycloak access token, along with the roles they are in? I've created several groups and mapped them to roles. However, I may have more than 1 group that maps to a particular role. I'd like to be able to make fine-grained authorization decisions so I know that User A is in Role A but also Group B. Is that possible?
Found the answer to this right here. All I had to do was add an additional mapper to my Client. Worked like a charm.
I am using Keycloak 9.0.3 with a LDAP-user federation, with edit mode = WRITABLE and Import Users = on.
I am developing a spring boot application that should call the Keycloak REST API to create, update, delete users and groups in LDAP. I also created "group-ldap-mapper" in my user federation to map LDAP-Groups to Keycloak-Groups and vise-versa.
My requirement is to create and delete Keycloak-groups via the REST API and they get mapped to groups in LDAP using the mapper above. When my application calls POST /{realm}/groups Keycloak just creates the group in Keycloak-DB and does not synchronise to LDAP unless the group gets assigned to some user. This is actually not a big problem.
The real problem is when my application deletes the group via DELETE /{realm}/groups/{id}. The groups gets deleted from the Keycloak-DB but not from LDAP.
An acceptable workaround would be to call POST /{realm}/user-storage/{parentId}/mappers/{id}/sync which synchronises the Groups and does the job.
The problem in this workaround, that there is no way to get the federation mapper id ({id}) other than hardcoding it in the spring application. There is no REST-Call to retrieve this id programatically.
Any idea how to solve this?
I figured out how to find the ids of the federation and the group-ldap-mapper programatically to use them in the call POST /{realm}/user-storage/{parentId}/mappers/{id}/sync.
One can call GET /{realm}/components. This returns among other things federation and mappers. In my case I could find the federation id from the UserRepresentation and then I used it to filter the components (parent={federation id}). According to documentation there is also a type Query, but I could not figure out the right value.
Is it possible to list all roles stored in a vault backend? I can't seem to find any reference on how to do so.
From the documentation, it seems possible to list a role given the role name, through auth/approle/role/my-role, for example, but I don't see any references on how to list all roles stored in a vault server.
EDIT
I would recommend viewing roles through the CLI. Viewing roles through the UI seems show all roles instead of those assigned to a given auth method.
Viewing roles using the UI
Click the "Access" tab
Click "View Configuration" under the three dot dropdown for the auth method you're interested in
Click the "Roles" tab at the top
Viewing roles using the CLI
Roles are listed under Authentication Methods in Vault. You can view which authentication methods you have enabled (or enable new ones) by visiting the UI and clicking on the "Access" tab at the top.
From there you can list roles using the following command:
vault list auth/{auth_method}/role
Where {auth_method} is one of the enabled authentication methods listed in the "Access" tab.
For example, if you enabled the kubernetes auth method, you would list roles associated with this method by running the following:
vault list auth/kubernetes/role
It depends on what auth method you created, based on auth method you can list roles.
Example:
# vault list auth/aws/role
# vault read auth/aws/role/role-name