I already have a running Keycloak instance with a lot of registered users. How can I add a new custom attribute (with an empty value) to all users without doing it manually?
How can I add a new custom attribute (with an empty value) to all
users without doing it manually?
You can use Keycloak Rest Admin API:
First you use endpoint
GET /{realm}/users
to get all the users. Then for each user you extract its ID an call the endpoint :
PUT /{realm}/users/{id}
with the payload {"attributes": <old Attributes> + < new Attributes>}
I have create a bash script for this in my repo. Running example:
sh addAttributeToAllUsers.sh localhost:8080 admin admin test '{"c":["c"]}'
Related
I wanted to create an webapp using JHipster with Keycloak and ran into a problem:
There is no deal to create new users using Keycloak or connecting user specific data to these users.
But if I want to delete a user I have to do that via Keycloak too, so the entry in JHipsters JHI_USER, the role-assignments and all the data created by this user will not be affected from these deletion.
So what I can do to make it possible to delete these user's data as well?
If Keycloak supported SCIM, you could use Apache SCIMple to sync your users. Here's a demo script that shows how to do it with Okta:
https://github.com/mraible/okta-scim-spring-boot-example/blob/main/demo.adoc
I was trying to call keycloak's REST api to create new users under a realm and I was following this tutorial:
https://www.appsdeveloperblog.com/keycloak-rest-api-create-a-new-user/
I was able to configure the Admin-cli client as below:
and I was able to get the access token by using the client id and secret:
However, when I make a POST request to /auth/admin/realms/myapp/users with the bearer token, it fails to create a user and I got an "unknow_error"
I searched through the internet and community and documentation but there was no clue. Eventually after hours and hours of trying, I found a solution:
You need to first go to clients --> admin_cli --> Sessions:
Then click on the user "Service-account-admin-cli" and configure such that it has admin role
Then, the previous POST request will successfully create a new user.
I cannot understand why this user "Service-account-admin-cli" is hidden under the users section:
Why would it be hidden??? How are people supposed to find this user (Service-account-admin-cli) and configure it? Does keycloak expect people to find it by clicking clients --> admin_cli --> Sessions and then see the user from there??
IMO if one is starting to learn Keycloak one should avoid using the master Realm or change the admin_cli configuration like that without a very good reason.
From the Keycloak documentation one can read:
When you boot Keycloak for the first time Keycloak creates a
pre-defined realm for you. This initial realm is the master realm. It
is the highest level in the hierarchy of realms. Admin accounts in
this realm have permissions to view and manage any other realm created
on the server instance. When you define your initial admin account,
you create an account in the master realm. Your initial login to the
admin console will also be via the master realm.
We recommend that you do not use the master realm to manage the users
and applications in your organization. Reserve use of the master realm
for super admins to create and manage the realms in your system.
Following this security model helps prevent accidental changes and
follows the tradition of permitting user accounts access to only those
privileges and powers necessary for the successful completion of their
current task.
So typically you would create a different Realm, and create the users there. Unless, you really want to create a user on the master realm, typically admin-alike users.
That being said to create the user using the Keycloak Rest API, one just need to request from the admin-cli client a token on behalf of the admin user by providing its name and password, for instance as follows:
TOKEN=$(curl -k -sS -d "client_id=admin-cli" \
-d "username=$ADMIN_NAME" \
-d "password=$ADMIN_PASSWORD" \
-d "grant_type=password" \
http://$KEYCLOAK_IP/auth/realms/master/protocol/openid-connect/token)
from the $TOKEN object extract the access token (let us named $ACCESS_TOKEN).
And then create the user as follows:
curl -k -sS -X POST https://$KEYCLOAK_IP/auth/admin/realms/$REALM_NAME/users \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $ACCESS_TOKEN" \
-d "$USER_JSON_DATA"
$USER_JSON_DATA will be the json data representation of the user to be created. There is no need to add the role admin to the master admin deployed with Keycloak by default.
Does keycloak expect people to find it by clicking clients -->
admin_cli --> Sessions
If setup normally, you would just need to know (as I already described) the admin's name and password, which is configured in the initial setup anyway.
Following this setup then you:
You need to first go to clients --> admin_cli --> Sessions:
you would see the following:
The difference now is that if you click on the admin user > roles, you would see the following:
The admin user, has already the admin role. No need for:
configure such that it has admin role
Now if you change the admin_cli configuration exactly as you did then you need to add to the Service-account-admin-cli user the role admin.
I cannot understand why this user "Service-account-admin-cli" is
hidden under the users section:
It is an implementation detail, unfortunately, I could not find online a an explanation for that either. But I do agree that without further context it does not look very user-friendly. Now that begs the question of why the tutorial did not warn their readers about it.
Now, if one speculate a bit, the reason to hide that user from the list of users could be because:
it is not a real user in the conventional sense; not meant to be used to login into Keycloak. If you try to set the password of that user you get always an error.
the list of users is for the users explicitly created for that realm that one can actually explicitly authenticate. In other words, "Service-account-admin-cli" is used so that it represents the "one" performing the call to the admin-cli, since when one changes the grand type from password to client-credentials there is no explicit user authentication anymore (i.e., admin username and password). So "Service-account-admin-cli" is used as a place holder.
Naturally, one could argue why not just make "Service-account-admin-cli" have the admin role by default?!, but again it is implementation details, that only the developers behind can justify.
Another good reason to not blindly change the original setup of the admin-cli.
Just did the same tutorial and had the same problem. Thank you for your post! It helped me to figure out the solution. I don't know if that is due to a newer Keycloak-version but I don't even see the session of the service-account.
Instead of going through the session-menu you could instead go to:
clients -> admin-cli -> service account roles
And then add "manage-users" from:
client roles -> realm-management
I think that's how it's supposed to work.
I've launched keycloak locally from a docker container with
docker run -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin
Then I've imported a realm (let's call it test-realm) from a json file by POSTing to {keycloak_host}/admin/realms. This works, the realm is created.
It's created without any initial users though. I want to create the users via curl as I want to automatize the whole process (start keycloak server, import realm, create users from json) in the future.
I'm aware of {keycloak_host}/admin/realms/test-realm/users of course. The problem is that POSTing to that end point already requires credentials (e.g. a JWT) from an admin account on test-realm. Or am I mistaken in this assumption?
My question is, how do I create that first admin account on test-realm having access to an admin on master. Or do I even need it to create users on test-realm through curl?
Turned out you can include a users key in the json realm representation. The value is an array of user representations as of version 4.5 of keycloak. So problem solved.
I have a user with Client Roles realm-management in a realm which contains password policy.
I want to exclude this user from the password policy since I use this user to do some operation fetch the roles get all the user via Java API and I don't want all the operation to be drop when the password needs to be updated.
I tried to use the admin user from the master realms but I did not get any result
Any ideas?
When you create a realm in keycloak with password policy and you want to exclude the admin user from this policy do this follow these steps :
When a user creates new realm e.g "FooRealm" keycloak adds sibling client inside the master realm with a suffix -realm, in this case, we will see FooRealm-realm
Inside this client, FooRealm-realm do those changes (settings tab)
access type = confidential
Standard Flow Enables = ON
Direct Access Grants Enables = ON
Create user inside the master realm, In user details, go to: Role Mappings >> Clients Roles and from the drop down menu select the sibling client
(FooRealm-realm) and make sure it is own all the roles inside
Now To fetch all the user from the Slave realm FooRealm
Keycloak keycloak = KeycloakBuilder.builder()
.serverUrl("http://localhost/auth")
.realm("master")
.grantType(OAuth2Constants.PASSWORD)
.clientId(FooRealm-realm)
.clientSecret("7f0080cf-xxxx-xxxxx-9115-xxxxxxxxxx")
.username("sysadmin")
.password("x123456")
.build();
RealmResource realmResource = keycloak.realm("FooRealm");
realmResource.users().list(0, 1000);
Is it possible to export the roles added to a keycloak server instance?
I have created some composite roles on a development server which I'd like to mirror across some other instances (e.g. in an integration\development) environment.
The only thing I can think of is using the Admin API to retrieve the details of the roles and use for some sort of insert script to be run in a different environment.
Is this possible?
Keycloak 3.2.0.Final and later has a "Export" menu item in its admin console. There you can export groups and roles (global and client roles) to a JSON file.