When a new user is created via rest API endpoint, how to add user role to the newly created user?
At the initial user creation endpoint role is not included. First, we need to create the user via rest API endpoint. post request domain/auth/admin/realms/{realm name}/users
Then we want to add a user role to the created user. For that, we should have the username of the created user. If you've enabled email as username in the key-cloak. You can fetch user data from the key-cloak via that email.
To fetch user data via username below endpoint is used. get request domain/auth/admin/realms/{realm name}/users?username="emailToTest#test.com".
To assign role to the user we can use below post endpoint domain/auth/admin/realms/{realm name}/users/{user_id}/role-mappings/realm
pass an array with below structure in the request body.
[
{
"id": "role id", you can get role id once you click on a specific role and on the URL there is the id
"name" :"role name"
},
{
"id":"role id", "name":"role name"
}
]
Related
Is there any way to create user in google admin console without password?
Users can create a new password with First Time Login
I am using google admin sdk API with service account Bearer token to create user.
Url: https://admin.googleapis.com/admin/directory/v1/users
Payload: {
"primaryEmail":"sampleuser#orgdomain.com",
"name":{
"givenName":"Test",
"familyName":"User"
},
"suspended":false,
"password":"Password1234",
"changePasswordAtNextLogin":true,
"ipWhitelisted":false,
"emails":[
{
"address":"sampleuser#orgdomain.com",
"type":"home",
"customType":"",
"primary":true
}
]
}
The API is failing without the password field. Is there any way to enable or disable any configuration in admin console to achieve same.? Related Answers will be helpful. Thanks
You can't create a user without a password within the API.
The method users.insert requires an instance of the Resource: users on the request body and the Resource: Users states that the password is required when creating a new user:
password:
Stores the password for the user account. The user's password value is required when creating a user account. It's optional when updating a user and should only be provided if the user is updating their account password. The password value is never returned in the API's response body.
A password can contain any combination of ASCII characters, and must be between 8-100 characters.
We recommend sending the password parameter as a hexadecimal-encoded hash value and setting hashFunction accordingly. If hashFunction is specified, the password must be a valid hash key.
I'm trying to make a POST request to our KeyCloak.
I can create a user with no problem but once i provide the post request with the federationLink this isn't picked up. I tried it both with the ID and the string of the Federation Link. I noticed that the added Attributed aren't picked up aswell.
The body i post is:
"username": "xx#local",
"email": "xx#local",
"emailVerified": true,
"enabled": true,
"federationLink": "qa.exn-dir.xxx.com/cn=xxx,cn=xxxx,o=xxx",
"attributes":{
"PHONE_NUMBER": [
"xxxx"
],
"CARD_NUMBER":[
"xxx"
]
},
"credentials": [
{
"type": "password",
"value": "12345"
}
]
And i post this to /auth/admin/realms/REALM/users
When looking at the created user this is still in the default federation and not the one we provided in the body.
Any idea how i could solve this?
User federation in keycloak provide functionality to import user data from your selected LDAP system, source from keycloak documentation
Keycloak can store and manage users. Often, companies already have LDAP or Active Directory services that store user and credential information. You can point Keycloak to validate credentials from those external stores and pull in identity information.
That means keycloak does not store the user credential, keycloak only point to those external stores to validate the user credentials.
Quoting from your comment replying to #sventorben
Thanks for the reply. The users that we need to create in case are external users and they need to be added in keycloak using the API. Atleast that is what i'm told.. But they need to be added to a specific federationLink. This is my first time using KeyCloak so i'm still new to the whole thing
In case of your requirement to create external users:
You can create it and store the user data information and credential in keycloak, that means you need to send the appropriate user data and credentials along to the keycloak so that keycloak can use it.
Or if you prefer to load the users data and validate the credential from your LDAP system, then first you need to register the external users to your LDAP system just like #sventorben said, and then let keycloak automatically synchronize these new users (based on your synchronize settings of the user federation) or if you prefer manually, you can do it via keycloak admin console.
Im going to update the username of an account via the keycloak user update REST API. But it is unable to update it by requesting with the own token. Do I have any other way to get username update by the same user.
Steps:
Assign manage-users role myself
get my access token
get user list - remember my user id
add new use with new user name
delete my user with #3 user id
1 Assign manage-users role myself
3 get user list - remember my user id
4 add new use with new user name
5 delete my user with #3 user id
We have impersonation roles for a number of admins -- it's working as expected.
A Client application, for audit purposes, would like to be informed when a token issued is via impersonation -- is there a way we can send an attribute/claim to the Client informing that the token is an Admin impersonating a user?
Yes, Keycloak stores that information in user session notes. The information can be mapped via builtin mappers.
Follow these steps:
Navigate to Clients -> <your client> -> Mappers
Click Add Builtin
Choose Impersonator Username and/or Impersonator User ID (depends on whether you want the username or id as a claim in the token)
Click Add selected
That's it. Your tokens contain the information as shown below:
{
...
"sub": "9ab9bfd1-f95d-4aa1-a8b2-0d1fb06b365a",
"preferred_username": "test",
...
"impersonator": {
"id": "2d2f4b4a-716c-4428-97cd-22fa731c0d9a",
"username": "admin"
}
...
}
I'm building a REST API. The API runs a JWT authentication system.
Obviously this means that paths that are secure need a valid JWT token to be passed along with the request in the Authorization Header. Inside each jwt token I have:
sub: 1 //_id
Where sub is the Id of the currently authenticated user.
My question is, when I pass this token, is there a need to pass the user id in the request body also? For instance, I have a create premises method. This requires a post body to contain a name and description like so:
{
name: "Test Premises",
description: "Lorem Ipsum"
}
In this case, the API would have to find the user to associate the new premises by verifying the token passed is valid, then unencoding it and retrieving the sub field.
Is this method ok?
are there any drawbacks?
should I be passing Id's in the body aswell?
is this method ok
Yes, that's the point of the authentication token.
should I be passing Id's in the body aswell?
You have a really big security hole if you allow the user ID to be sent from the client e.g. another authenticated user could create premises on behalf of another user if they knew (or spoofed) their ID.