I want to assign the realm role "TEST_ROLE_123" to a group, I am using
PUT /admin/realms/ataccamaone/groups/{group-id}
{
"realmRoles":["TEST_ROLE_123"]
}
I got group-id from /admin/realms/ataccamaone/groups/
However I get the response 204 No Content and in the Keycloak console I do not see the assignment.
I tried to reproduce your problem and find that PUT /admin/realms/ataccamaone/groups/{group-id} can only edit group name.
Inspect into "Network" tab of browser, I see it uses another URL to map roles to groups. And steps to do this via Admin REST API are:
Obtain PAT as described in https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_protection_whatis_obtain_pat section
Following steps use this PAT as Bearer token (in "Authorization" header). I guess you've already got this.
Call GET http://localhost:8080/auth/admin/realms/realm1/roles to get list of roles, including their name and id values.
Call GET http://localhost:8080/auth/admin/realms/realm1/groups to get list of groups, including their ids
Call POST http://localhost:8080/auth/admin/realms/realm1/groups/{group-id}/role-mappings/realm with following body:
[
{
"id": "9083cac3-4280-497d-b973-7713a5fb12b4", // role-id
"name": "secretary" // role-name
}
]
Call DELETE with URL and body same as step 4 to remove roles from group.
I've faced same issue and corrected it with using a GROUP, Basically I've added the preferred ROLE into the User Groups ROLE LIST and used that specific user group while creating the user via REST API.
Eg:- ADMIN_USER_GROUP -> INCLUDED ('ADMIN_ROLE')
Then User creation API Request should be like below,
{
"firstName": "Sergey",
"lastName": "Kargopolov",
"email": "test4#test.com",
"enabled": "true",
"credentials": [
{
"value": "123"
}
],
"groups": [
"ADMIN_USER_GROUP"
]
}
Related
I'm using the Keycloak Admin Rest API and would like to create a new client scope and get its id.
To create the client scope I use this endpoint:
http://localhost:8080/admin/realms/master/client-scopes
Body
{
"attributes": {
"display.on.consent.screen": "true",
"include.in.token.scope": "true"
},
"name": "example",
"protocol": "openid-connect"
}
This endpoint doesn't return a result but I need the ID.
To get the ID I could get all client scopes and find the scope with the matching name however I would have thought there would be a simpler way.
E.g. GET http://localhost:8080/admin/realms/master/client-scopes then filter through the results to find a matching name.
Is it possible to get a client scope by name?
Is it possible to get a client scope by name?
Unfortunately, not, which is a pity because the 'name' is unique. If you look at the keycloak Rest Admin API you can see the followings GET for the client-scopes:
GET /{realm}/client-scopes
and
GET /{realm}/client-scopes/{id}
And none of those endpoints accepts as parameters 'name'.
Notwithstanding, as #csbrogi and #Jan Garaj have pointed out in the comment section, since you:
(..) create a new client scope and get its id.
You can retrieve the ID of the client-scope that was just created from the header location:
In the Keycloak, usually POST methods returns 201 or 200 OK without body as experienced. Thus, you cannot get the ID directly from response. What you can do is; assign a ID while creating scope as below body and you simply will have it.
{
"id": "da5a68f1-058c-481a-bf84-deb95b1f21aa",
"attributes": {
"display.on.consent.screen": "true",
"include.in.token.scope": "true"
},
"name": "example",
"protocol": "openid-connect"
}
Requirements: We would like to create a Variable Group (along with some variables) in a given Project.
Option1: We are able to create a new Variable Group successfully
when we create a request via PostMan using PAT Token which has FULL access.
Option2: Our end goal is to invoke the ADO Rest API in the Web App which uses
OAuth. When the end user logs in and make a call (pls see the input
details below) we are getting '401 Un Authorized - The user is not authorized to access this resource.' error. The Web App's application has the Variable Groups manage scope as shown below.
TroubleShooting: As part of troubleshooting, for Option1 which uses PAT (with full access) in Postman, we have updated the permissions of the PAT to just have Create, Read and Manage Var Groups as shown below.
Now, even the Option1 is not working after making the PAT to have Custom Defined access.
Are we missing something?
Postman Details:
URL: https://dev.azure.com/myorgname/_apis/distributedtask/variablegroups?api-version=6.0-preview.2
Verb: Post
Headers: Authorization: Basic
Body:
{
"name": "This is ignored",
"description": "This is ignored",
"type": "Vsts",
"variables": {
"BuildConfiguration": {
"value": "Release"
}
},
"variableGroupProjectReferences": [
{
"name": "VarGroup",
"description": "The variable group to store the information about the variables using in the Pipeline",
"projectReference": {
"id": "#ProjectId#",
"name": "#ProjectName#"
}
}
]
}
I can also reproduce your issue with option 1, not only Read, create, & manage for Variable Groups, even I select all the scopes via Custom defined, it still does not work.
According to this doc - https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/manage-pats-with-policies-for-administrators?view=azure-devops#restrict-creation-of-full-scoped-pats
Some of our public APIs are currently unassociated with a PAT scope, and can therefore only be used with “full-scoped” PATs. Because of this, restricting the creation of full-scoped PATs might block some workflows. We're working to identify and document the affected APIs and eventually associate them with the appropriate scope. For now, these workflows can be unblocked by using the allow list.
I believe this should be the reason for this issue, there may be some additional permissions to create variable groups. For option 2, there may be a similar cause.
So in this case, you may need to use the Full access PAT temporarily, as mentioned in the doc We're working to identify and document the affected APIs and eventually associate them with the appropriate scope.
Following the instructions on this page Working with users, groups, and items—ArcGIS REST API: Users, groups, and content | ArcGIS for Developers and the Add Item documentation I was able build a POST request in POSTMAN to add a new item to the user.
After getting the token, when I try the POST request to add the web map I get this error
{"error":{"code":403,"messageCode":"GWM_0003","message":"You do not have permissions to access this resource or perform this operation.","details":[]}}
This is the JSON that contain some simple Web Map data,
{
"operationalLayers": [],
"baseMap": {
"baseMapLayers": [
{
"id": "defaultBasemap",
"layerType": "ArcGISTiledMapServiceLayer",
"url": "https://services.arcgisonline.com/ArcGIS/rest/services/World_Topo_Map/MapServer",
"visibility": true,
"opacity": 1,
"title": "Topographic"
}
],
"title": "Topographic"
},
"spatialReference": {
"wkid": 102100,
"latestWkid": 3857
},
"authoringApp": "WebMapViewer",
"authoringAppVersion": "5.4",
"version": "2.11"
}
I was using the wrong access token.
I was using the access token I had for the app I was testing instead of the user's access token that I had to get with oauth2.
I'm leaving this here for future newbies.
For creating a group, a user and assigning the user to that group, I referred this link Add permission profile through API.
Using REST APIs I am able to do that but permission for user is not getting set.
When I check in DocuSign, group is having correct permission set but same is not set for a user. Please let me know if I am missing anything.
Additional Information: This is the request I am sending
{
"newUsers":[{
"email":"'.$email.'",
"userName":"'.$userName.'",
"password":"'.$password.'",
"groupList": [{
"groupId": "'.$groupId.'",
"groupName": "'.$groupName.'",
"permissionProfileId": "'.$permissionId.'"
}]
}]
}
Also, when a user is added to a group, permissions set at group level will be applied to the users. Is there something missing?
When you create a permission profile you use this endpoint:
POST {vx}/accounts/{accountid}/permission_profiles
the response body for that endpoint should contain this info ( I omitted some details from the response)
{
"permissionProfileId": "sample string 1",
"permissionProfileName": "sample string 2",
...
}
Once you have the permissionProfileId and permissionProfileName you should be able to assign that permission profile to a user using this endpoint:
PUT {vx}/accounts/{accountid}/users/{userid}
and using the permissionProfileId and permissionProfileName in your request (I used dummy values here):
{
"permissionProfileId": "12345",
"permissionProfileName": "SomeName"
}
I hope that helps!
-Yadriel
Let's say I know the group I'm interested in has this URL: https://www.facebook.com/groups/framerjs/.
I've been looking for a way to map an URL like this (without any other source of information) to a specific group ID, using the Graph API, but there seems no way to do that.
I've experimented with the following:
Accessing /me/groups:
This endpoint gives out the groups I've subscribed to (within which the group I'm looking for is included), but there's no information in the response that lets me map framerjs to an ID, since the response will only contain the full (formatted) group name, such as Framer JS.
Using the group alias directly, e.g. /framerjs/feed:
This returns an error like (#803) Some of the aliases you requested do not exist: framerjs, supposedly because the API only allows using aliases for users and/or pages, and not groups.
You can use the Search API:
/search?q=framerjs&type=group
Response:
{
"data": [
{
"name": "Framer JS",
"id": "385961098197634"
}
],
"paging": {
"next": "https://graph.facebook.com/v2.2/search?type=group&q=framerjs&icon_size=16&limit=5000&offset=5000&__after_id=enc_AewsQta1G58IkwuUNLJ8vZb35qrc0BS89MpO1ZiAVCRiwYjzWE_GkHRwxk6I1E5Sj2UprSuDxghIB4EJGEF8GxD7"
}
}