Keycloak: roles not assigned when user is created via CLI - keycloak

Running the below commands to import user with roles.
./kcadm.sh config credentials --server http://localhost:8080/auth --realm master --user admin --password [pass]
./kcadm.sh create users -r [realm_name] -f user-admin.json
user-admin.json looks like:
{
"username": "adminLocal",
"enabled": true,
"totp": false,
"emailVerified": false,
"firstName": "admin",
"lastName": "local",
"email": "adminLocal#domain.com",
"disableableCredentialTypes": ["password"],
"requiredActions": [],
"notBefore": 0,
"access": {
"manageGroupMembership": true,
"view": true,
"mapRoles": true,
"impersonate": true,
"manage": true
},
"credentials" : [
{
"value" : "secret",
"type" : "password",
"temporary" : false
}
],
"realmRoles" : ["admin","offline_access","uma_authorization"]
}
Expected all the specified roles in "realmRoles" key to be assigned. However just Realm Default Roles: "offline_access","uma_authorization" were assigned to user.
The roles exist and were added beforehand via Keycloak Admin UI.
It's possible to create user and then assign roles as a workaround. However would like to do it with one command.

Related

Keycloak JWT to contain user real and client role

I'm using Keycloak version 20.0.1 (also tried on 19.0.0).
I have a realm configured and under the Client Scopes -> realm roles -> Mappers I have added the realm_access.roles mapping.
For some reasons that I don't understand, the JWT token that I get as a response doesn't contain the Realm Roles (I have also assigned a realm role to the user that it's used for testing).
The response that I get is:
{
"exp": 1669579902,
"iat": 1669579602,
"auth_time": 1669577841,
"jti": "9dfe2638-a9f8-4094-8691-7a1423b629f7",
"iss": "https://auth.xxxx.com/realms/xxxx.com",
"sub": "6fe1b9b9-5ddd-478d-9b38-bd11698295cf",
"typ": "Bearer",
"azp": "spring-client",
"nonce": "d14b168b-3c77-489b-85dd-192dba533624",
"session_state": "55d938d4-42e7-4c2b-9038-f808c917c366",
"acr": "0",
"allowed-origins": [
"*"
],
"scope": "openid email profile roles",
"sid": "55d938d4-42e7-4c2b-9038-f808c917c366",
"email_verified": true,
"name": "first last",
"preferred_username": "user#email.com",
"given_name": "first",
"family_name": "last",
"email": "user#email.com"
}
How should I add the roles into the JWT response returned by Keycloak?
I have tried to configure the Client Scopes -> ream roles -> Mappers and I was expecting to receive in the JWT response the roles field.
In the JWT of Keycloak, two roles information.
It is not represented user's assigned role. Just assigned client role are included but realm's roles is possible list of realm.
If you want to get all of assigned role, have to call role mapping of user API (see #3.1)
I decoded JWT by jwo.io after get access token by Postman with Keycloak v 19.0.2
#1 realm roles list - It is not assigned realm role list, it is possible role list
User JWT(access token), get grant_type = password
{
"exp": 1669599866,
"iat": 1669596266,
"jti": "ad4e3b51-b23e-4abb-aba6-0099bb5213cf",
"iss": "http://localhost:8080/auth/realms/example",
"aud": "account",
"sub": "fae8bf9b-2209-4f01-ab32-629e029941ba",
"typ": "Bearer",
"azp": "spring-client",
"session_state": "8debdcfa-4252-4a27-8190-2a4981e6a795",
"acr": "1",
"realm_access": {
"roles": [
"offline_access",
"admin",
"default-roles-example",
"uma_authorization",
"user"
]
},
"resource_access": {
"spring-client": {
"roles": [
"client role2"
]
}
},
"scope": "openid profile email",
"sid": "8debdcfa-4252-4a27-8190-2a4981e6a795",
"email_verified": false,
"name": "first last",
"preferred_username": "user",
"given_name": "first",
"family_name": "last",
"email": "user#test.com"
}
five realm's roles are possible realm's role not assigned user's roles
User just assigned three realm's roles
Client JWT(access token), get grant_type = client_credentials
{
"exp": 1669597154,
"iat": 1669593554,
"jti": "ff6ae9db-7e05-4f9a-a538-0755a7f55125",
"iss": "http://localhost:8080/auth/realms/example",
"aud": "account",
"sub": "9db11aa2-6862-4ebb-9ee6-b03b51d7814d",
"typ": "Bearer",
"azp": "spring-client",
"acr": "1",
"realm_access": {
"roles": [
"offline_access",
"default-roles-example",
"uma_authorization"
]
},
"scope": "openid profile email",
"clientId": "spring-client",
"clientHost": "172.19.0.1",
"email_verified": false,
"preferred_username": "service-account-spring-client",
"clientAddress": "172.19.0.1"
}
Those are client's roles, it has three roles but not matched JWT's realm list
In the JWT (client access token), that list is possible realm list(not assigned client realm roles)
#2 client role - It is assigned client list
GET {KEYCLOAK-IP}/auth/admin/realms/{REALM-NAME}/clients/{client-UUID}/roles
http://localhost:8080/auth/admin/realms/example/clients/1cb76d56-b96f-42a7-91c0-c201a7761e9e/roles
[
{
"id": "e5171eb5-976e-429f-914c-0d63d7b394fd",
"name": "client role2",
"composite": false,
"clientRole": true,
"containerId": "1cb76d56-b96f-42a7-91c0-c201a7761e9e"
},
{
"id": "293c9c9c-bb76-4192-be09-ede769458394",
"name": "uma_protection",
"composite": false,
"clientRole": true,
"containerId": "1cb76d56-b96f-42a7-91c0-c201a7761e9e"
},
{
"id": "e1441ceb-7ea8-436b-9a55-30999c6de744",
"name": "client role1",
"description": "",
"composite": false,
"clientRole": true,
"containerId": "1cb76d56-b96f-42a7-91c0-c201a7761e9e"
}
]
#3 user's role list can get the separate API
3.1 all of user's role
GET {KEYCLOAK-IP}/auth/admin/realms/{REALM-NAME}/users/{USER-UUID}/role-mappings
UI:
It seems to block, UI not allow to assign directly a user into client role from UI. I use REST API call. Here
Example, get user's roles:
http://localhost:8080/auth/admin/realms/example/users/fae8bf9b-2209-4f01-ab32-629e029941ba/role-mappings
Response
{
"realmMappings": [
{
"id": "c31bd5ce-e400-4546-b633-d4d5bde596d8",
"name": "admin",
"description": "Administrator privileges",
"composite": false,
"clientRole": false,
"containerId": "e78f0c77-b44b-48da-850b-9d157e24a439"
},
{
"id": "d99f61be-bacd-438d-974d-06a006704a1e",
"name": "default-roles-example",
"description": "${role_default-roles}",
"composite": true,
"clientRole": false,
"containerId": "e78f0c77-b44b-48da-850b-9d157e24a439"
},
{
"id": "8d250d6c-e249-4b63-b86f-390b4550b12e",
"name": "user",
"description": "User privileges",
"composite": false,
"clientRole": false,
"containerId": "e78f0c77-b44b-48da-850b-9d157e24a439"
}
],
"clientMappings": {
"spring-client": {
"id": "1cb76d56-b96f-42a7-91c0-c201a7761e9e",
"client": "spring-client",
"mappings": [
{
"id": "e5171eb5-976e-429f-914c-0d63d7b394fd",
"name": "client role2",
"composite": false,
"clientRole": true,
"containerId": "1cb76d56-b96f-42a7-91c0-c201a7761e9e"
}
]
}
}
}
If you want to see, how to set the role into client or user,here
to get roles or anything in token we had protocol mappers in version 18.0 and earlier. for version 19 and above it is removed but only from ui
you can add protocol mapper by rest api
/POST {keycloak_url}/admin/realms/demo/clients/<clientId>/protocol-mappers/models
authorization:Bearer token //should be admin token
{
"protocol":"openid-connect",
"config{
"multivalued":"true",
"id.token.claim":"true",
"access.token.claim":"true",
"userinfo.token.claim":"true",
"usermodel.realmRoleMapping.rolePrefix":"",
"claim.name":"realmRoles"
},
"name":"roleNameMapper",
"protocolMapper":"oidc-usermodel-realm-role-mapper"
}

Cannot set `bearerOnly: true` in Keycloak 19.0

I am trying to secure my backend service but due to the updates with Keycloak 19.0 I can't follow any tutorial online. I am trying to set bearerOnly: true but there are no options to set the access type in new version of Keycloak
I tested v19.0.1, I can't find to option for bearerOnly option UI either but client JSON import after export and change bearerOnly true works.
I tested to import v18.0.2's JSON makes error.(attached image at the bottom)
So if you migrate from old version to 19.0.1 should be update manually base on v19's export JSON file.
Steps
Export Client JSON from v19
Delete #1 client
Switch "bearerOnly": true
Import #3 JSON in v19
This is bearerOnly true and false difference screen in UI
bearerOnly True option
bearerOnly False option
Using this JSON for True option
{
"clientId": "my-client-bearer-true",
"name": "My Client Bearer Only True",
"description": "",
"surrogateAuthRequired": false,
"enabled": true,
"alwaysDisplayInConsole": false,
"clientAuthenticatorType": "client-secret",
"redirectUris": [],
"webOrigins": [],
"notBefore": 0,
"bearerOnly": true,
"consentRequired": false,
"standardFlowEnabled": true,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": true,
"serviceAccountsEnabled": false,
"publicClient": true,
"frontchannelLogout": true,
"protocol": "openid-connect",
"attributes": {
"oidc.ciba.grant.enabled": "false",
"oauth2.device.authorization.grant.enabled": "false",
"backchannel.logout.session.required": "true",
"backchannel.logout.revoke.offline.tokens": "false"
},
"authenticationFlowBindingOverrides": {},
"fullScopeAllowed": true,
"nodeReRegistrationTimeout": -1,
"defaultClientScopes": [
"web-origins",
"acr",
"roles",
"profile",
"email"
],
"optionalClientScopes": [
"address",
"phone",
"offline_access",
"microprofile-jwt"
],
"access": {
"view": true,
"configure": true,
"manage": true
}
}
If import v18.0.2 JSON file with bearerOnly true into v19.0.1,
It makes error
I using this V18 JSON file but It makes error as upper image.
So you can't import directly v18 JSON into V19.
{
"realm": "test",
"bearer-only": true,
"auth-server-url": "http://localhost:8180/auth/",
"ssl-required": "external",
"resource": "my-client",
"confidential-port": 0
}

Keycloak : unable to map user roles when creating user for api

I am new to Keycloak. I want create user using Keycloak admin REST API.
I have managed to create a user. But the problem is I also want to assign admin role to the user.
Attached is my JSON body. Can someone tell me what am I doing wrong here?
{
"username": "username",
"email": "user#gmail.com",
"firstName": "name1",
"lastName": "name2",
"realmRoles": [ "admin" ],
"enabled": true,
"credentials": [{
"type": "password",
"value": "default",
"temporary": false
}]
}
Thank you in advance

Keycloak admin user creation

Can we create a admin user in keycloak using below rest-api ?
https://$HOSTNAME/auth/admin/realms/{REALM}/users
I am using the below payload , but it's now working.
{ "attributes" : {}, "emailVerified": "", "enabled": true, "username":
"admin", "clientRoles": {"realm-management": [ "realm-admin" ] } }
Thanks in advance
You have to call a separate REST API after you create the user to add roles/groups.
See this issue.

chef-solo not updating postgres pg_hba.conf

I am using Chef Solo to provision a Vagrant Virtual Machine. Here is the relevant Vagrantfile snippet:
chef.run_list = [
"databox::default",
"mydbstuff"
]
chef.json = {
"postgresql": {
"config" : {
"listen_addresses": "*"
},
"pg_hba": [
{"type": "local", "db": "all", "user": "postgres", "addr": null, "method": "ident"},
{"type": "local", "db": "all", "user": "all", "addr": null, "method": "md5"},
{"type": "host", "db": "all", "user": "all", "addr": "127.0.0.1/32", "method": "md5"},
{"type": "host", "db": "all", "user": "all", "addr": "::1/128", "method": "md5"},
{"type": "local", "db": "all", "user": "vagrant", "addr": null, "method": "ident"},
{"type": "host", "db": "all", "user": "all", "addr": "192.168.248.1/24", "method": "md5"}
]
},
"databox": {
"db_root_password": "abc123",
"databases": {
"postgresql": [
{ "username": "db1", "password": "abc123", "database_name": "db1" },
{ "username": "db2", "password": "abc123", "database_name": "db2" }
]
}
}
}
The mydbstuff::default recipe looks like this:
postgresql_connection_info = {
:host => "localhost",
:port => node['postgresql']['config']['port'],
:username => 'postgres',
:password => node['postgresql']['password']['postgres']
}
postgresql_database_user 'vagrant' do
connection postgresql_connection_info
password 'vagrant'
action :create
end
node['databox']['databases']['postgresql'].each do |db|
postgresql_database_user 'vagrant' do
connection postgresql_connection_info
action :grant
database_name db.database_name
end
end
I am trying to allow connections by the local vagrant user without a password, and by any user from the VirtualBox private network. The pg_hba array in my chef.json has four lines that are copied from the default configuration and two lines to do the other stuff that I want to do. If I add these two lines to the pg_hba.conf file manually, they work just fine.
The problem is that my changes aren't actually written to the pg_hba.conf file. What's preventing them from being written?
It appears that the databox cookbook overwrites the Postgres permissions array using node.set instead of just modifying the part that it needs.
I have submitted a pull request to the project to change this behavior so that additional entries can be added to the file.
I faced same problem with chef-solo. My way out was to create a template for pg_hba.conf and replaced at the end of execution of recipe.