I am trying to retrieve users list based on their roles. I have this role: ROLE_ADMIN. I would like to retrieve every user that have this role.
I try it with this endpoint:
http://10.10.10.10:5555/auth/demo-realm/clients/e286a05c-6641-49c3-bb7c-ffe5dd2d8c66/roles/ROLE_ADMIN/users
but it sends me back this:
{
"error": "RESTEASY003210: Could not find resource for full path: http://10.10.10.10:5555/auth/demo-realm/clients/e286a05c-6641-49c3-bb7c-ffe5dd2d8c66/roles/ROLE_ADMIN/users"
}
I found the endpoint here: https://www.keycloak.org/docs-api/11.0/rest-api/index.html under "Return List of Users that have the specified role name".
I can reach these end points for example:
http://10.10.10.10:5555/auth/realms/demo-realm/protocol/openid-connect/token
http://10.10.10.10:5555/auth/admin/realms/demo-realm/users
What did I miss? What makes this to not work?
Thanks in advance.
To get the users associate with a given Realm role you need to call the endpoint:
GET <KEYCLOAK_HOST>/auth/admin/realms/<YOUR_REALM>/roles/<ROLE_NAME>/users
to get the users associate with a given Client role you need to call this endpoint:
GET <KEYCLOAK_HOST>/auth/admin/realms/<YOUR_REALM>/clients/<CLIENT_ID>/roles/<ROLE_NAME>/users
where <CLIENT_ID> is the ID from the client to which the <ROLE_NAME> belongs to.
Finally, to get the client ID, you can call this endpoint:
GET <KEYCLOAK_HOST>/auth/admin/realms/<YOUR_REALM>/clients?clientId=<ID_OF_CLIENT>
Note that the client ID is the unique ID generated by Keycloak, whereas <ID_OF_CLIENT> is the Client ID that you have given to your Keycloak client.
Related
I need to make REST requests to Tableau to upload and download data sources and other requests.
In the documentation mentioned here, it says that to make a REST request you need.
Server Name
SiteID
Workspace/Group ID
Where can I get these 3 things? I am new thus not familiar with the tableau platform.
Below is my Tableau Dashboard:
I see you've figured this out based on some of your other questions but here is the answer for anyone else searching.
Server name = your server's ip address or if using Tableau Online, the first portion of your url when you login.
10ay.online.tableau.com for the GET call of
https://10ay.online.tableau.com/api/3.12/sites/site-id/projects/project-id
Site ID can be returned using a POST in your API authentication call. Using the server name above the POST call would look like this https://10ay.online.tableau.com/api/3.4/auth/signin You will need to add some info to the POST body that will look like this.
{
"credentials": {
"personalAccessTokenName": "YOURTOKENNAME",
"personalAccessTokenSecret": "YOURTOKENSECRET",
"site": {
"contentUrl": "YOURSITE"
}
}
}
You don't necessarily need the group-id unless you are returning group specific info like user/group relationships. Use this in a GET call to return your group IDs by name. https://10ay.online.tableau.com/api/3.12/sites/site-id/groups
Running WSO2IS v5.11.0. After creating a tenant with domain "example.com" using the addTenant endpoint, I execute the following REST call to retrieve it
GET https://host:port/t/carbon.super/api/server/v1/tenants/domain/example.com
Contrary to what is documented in the docs, the response does not contain the tenant's id. Here is the response:
{
"domain": "example.com",
"owners": [
{
"username": "test#example.com"
}
],
"createdDate": "2021-02-04T14:43:53.598Z",
"lifecycleStatus": {
"activated": true
}
}
Why is the id not included in the response? Am I doing something wrong or is this a bug?
Seems it is a bug in IS-5.11.0. If you try the latest milestone release 5.12.0-m9 you can retrieve the tenant id in your request.
The fix https://github.com/wso2/carbon-kernel/pull/2869 should have resolved that issue in the recent milestone versions. So you can patch this into 5.11.0 and use.
In IS-5.11.0,
If you create a tenant using POST request and retrieve the tenant by its domain GET https://host:port/api/server/v1/tenants/domain/example.com the tenant UUID will not return.
If you follow the following steps:
create a tenant using POST request
Find the Location header in the response header and get the tenant UUID
Get the tenant by GET /tenants/{tenant-id}
Next get the tenant by domain GET https://host:port/api/server/v1/tenants/domain/example.com - now you will get the tenant UUID (tenant object may be cached with its unique id due to the request in 3rd step)
So it's not an API level issue. Above mentioned carbon-kernel fix should have fixed the core level issue.
I am using this call https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleAssignments?api-version=2015-07-01 to get role assignment of subscription. The output is of this gives principalId and other values
Question is How can I differentiate the principalId is user principal or serviceprincipal?
This is needed to for me to query graph api to get appid (if service principle) or display name , upn ( if user principle).
Graph APi has 2 different call for this hence while automating I need to know which one to be called based on object type.
User: https://graph.windows.net/microsoft.com/users/principalid?api-version=1.6
Service Pricipal: https://graph.windows.net/microsoft.com/servicePrincipals/principalid?api-version=1.6
Graph APi has 2 different call for this hence while automating I need to know which one to be called based on object type.
Based on my understanding, you could use the Objects - Get Objects By Object Ids Rest API to get the objects by principleid, no need to call 2 different calls. You also could get the object type from the response.
POST https://graph.windows.net/{tenantID}/getObjectsByObjectIds?api-version=1.6
I test with 2 principalids, one is the service principal and another is user.
Test Result:
I'm currently looking at the rocket.chat REST-API and can't find a way to prepare a IM-room for two users. Both users do not have the permission to create a direct message (missing create-d). But I do have a privileged admin/bot-user, which should connect them, at any time.
I tried to im.open a roomId with both user id's (I've noticed, that direct messaging rooms are groups, without name and concat(userid1, userid2) as id). But I always receive:
{
"success": false,
"error": "[invalid-channel]",
"errorType": "invalid-channel"
}
The im.create method cannot be used, since I can't tell the API which two users I want to connect (the first is always "me"/the logged in user).
Using group.create would create a room with 3 members (user1, user2, me). Which isn't what I want either.
Is there a way to create a IM between two users? Without the permission "create-d" on these two?
I am using KeyCloak REST APIs and created a GROUP and a ROLE. Using REST API how to assign the ROLE to the Group?
Here is the relevant APIs -
KeyClaok API Guide
POST /admin/realms/{realm}/groups/{id}/role-mappings/realm
So question is how to use this API? Should I at first create the ROLE or this API itself will create the ROLE and do the mapping?
I tried in both the ways -
Create the ROLE by POST, retrieve the RoleId from the response and send another POST to /admin/realms/{realm}/groups/{id}/role-mappings/realm by re-sending the same RoleRepresentation object with the created Id. Also I passed the GroupId with whom I want to map the Role. But I am getting error.
In this case I didn't create the Role at the very beginning, but sent the RoleRepresentation object in the /admin/realms/{realm}/groups/{id}/role-mappings/realm API call. Again I am getting error.
The API guide is not clear on how to map the Group with the Role.
Any help will be highly appreciated.
Request is good. For example I have this one:
http://localhost:5440/auth/admin/realms/{yourRealm}/groups/8129e7ed-db5f-423b-91f5-779b9d448d3b/role-mappings/realm
But you have to create the role first and send this RoleRepresentation in your BodyParameter. There is an array of RoleRepresentation.
For example my array of RoleRepresentation with one role:
[{"id":"16f77b0f-a03e-4995-a09f-dc02a0ee3f03","name":"rolle2","scopeParamRequired":false,"composite":false,"clientRole":false,"containerId":"yourRealm"}]