Keycloak: Can not read users realm roles as admin cli when calling the admin rest api

Tags: , , , ,



I use keycloak 11 as openid connect provider for my spring boot services. Everything works fine so far.

Problem:

I have a service that uses a webclient. It is nested in my service and uses client auth with the admin-cli client. That works. When I do a get on /users/userId, I get the user representation. The problem I have now is that the Realm Roles of the user are not added to the representation.

In the docs this parameter is mentioned as String [] and marked as optional in the UserRepresentation.

I thought that if I configure the Service account roles -> Client Roles -> realm-management -> realmAdmin , the client should be able to view the whole user output.

But if I use postman and call the api as ali-admin, it is not included in the JSON reponse.

I also tried to add the attribute in my KeycloakUserRepresentationModel

public class KeycloakUserRepresentation {

    private String id;
    private String username;
    private String firstName;
    private String lastName;
    private String email;
    private Boolean emailVerified;
    private Boolean enabled;
    private Map<String, List<String>> attributes;
    private String[] realmRoles;

and execute the request. The array realmRoles is always null.

Can you tell me what do I have to configure to read the users realmRoles as admin-cli?

Answer

You need to first request a token from the admin-cli client on behalf of the admin (or a user with a-like privileges):

curl    -d "client_id=admin-cli" 
        -d "username=$ADMIN_NAME" 
        -d "password=$ADMIN_PASSWORD" 
        -d "grant_type=password" 
        https://$KEYCLOAK_IP/auth/realms/master/protocol/openid-connect/token

then to get the list of users associate with a given Realm Role you use that token on the call to the following endpoint:

GET <KEYCLOAK_HOST>/auth/admin/realms/<YOUR_REALM>/roles/<ROLE_NAME>/users

From the JSON response you can check if your user belongs to that list.

Alternatively, you can call the Rest Admin API to

  1. get the user, and then extract its ID;
  2. get the roles associated with that user by using its ID in the call to the endpoint: GET <KEYCLOAK_HOST>/auth/admin/realms/<YOUR_REALM>/users/<USER_ID>/role-mappings


Source: stackoverflow