Is there a way for all users to create custom users attribute in keycloak (like phone number)?
You can create a group and add an attribute to it.
Then set that group as default group. This way the attribute set to the group is available to all the users
Related
I'm using Keycloak as an identity provider in my app. However, I could not find anywhere how to give a user an attribute whose value would be specific to a group. For example : a role within the group ("user", "admin"...), a “pending invitation” status, etc.
Is this even possible, or should I make an external table in my database, mapping user ids with group ids and adding the other attributes ? This additionnal table would be bothersome in terms of architecture.
Have a great day !
Antoine
Keycloak doesn't support assigning attributes/roles with the group scope. It only supports having roles that are "client" specific. As you mentioned yourself, you have to implement a custom provider and persist them in your own storage.
You can set user's attribute with role name/id and status.
This API call can do
PUT {Keycloak URL}/auth/admin/realms/{realm-name}/users/{user-id} OR
PUT {Keycloak URL}/admin/realms/{realm-name}/users/{user-id}
it depends on you Keycloak verion.
And Get user's value by this API
GET {Keycloak URL}/auth/admin/realms/{realm-name}/users/?username={user-name} OR
GET {Keycloak URL}/admin/realms/{realm-name}/users/?username={user-name}
This demo by Postman.
Set user's attributes
Get user's attributes
Get token and set token reference this answer part.
here
I want to automatize creating users and adding permissisons. Is it possible in grafana, to dynamicaly adds permission to user based on AD group?
Lets say user inputs his data including AD group he is in, and the app will create folder, and sets read/edit permissions only to users that are in AD group (that can be any group )?
I know you can set viewer/editor/admin roles to people based on AD group in config file, but is it possible to do so dynamicaly, with their http api?
You can set permissions for folders and permissions for dashboards using the Grafana HTTP API:
Folder Permissions API
Dashboard Permissions API
The logic, what permission should be set for which user, needs to be determined in your code (e.g. based on the user input you mentioned) before making the request.
Is there a way to include the list of groups a user is a member of inside a Keycloak access token, along with the roles they are in? I've created several groups and mapped them to roles. However, I may have more than 1 group that maps to a particular role. I'd like to be able to make fine-grained authorization decisions so I know that User A is in Role A but also Group B. Is that possible?
Found the answer to this right here. All I had to do was add an additional mapper to my Client. Worked like a charm.
I am planning to give user access programmatically. So, I want to add users to keycloak groups. Is there any way to automate this?
You can define some groups as default groups, then they will be added to any created users automatically. You can do this in the admin console.
I have configured Keycloak with user self-registration. The keycloak instance will hold users of multiple customers which I plan to put into groups (so each customer can have admins that can manage these users through fine-grained permissions).
To map users that are self-registering to appropriate groups (using their email address, e.g.) I'd like to put them in their default group upon registering. Is this possible using either configuration or implementing an SPI? Or are there other possibilities to achieve a similar behavior?