In this blog post I want briefly show, how I implemented the mapping of a role to a user in Keycloak with CURL in a bash script.
The reason why I came across that topic, it was because I noticed that it wasn’t possible to upload a new user including the role information to the current realm.
I found that helpful stackoverflow entry (Keycloak – using admin API to add client role to user), but this stackoverflow entry didn’t contain the information: How to configure it for a pure realm role? At the end I found the related REST API documentation of Keycloak to extract the information.
Here are the major three steps I did.
1. Obtain the master realm admin access-token¶
First obtain the necessary admin access token from the master realm to be able to perform administration tasks in keycloak.
2. Get the user id of the user¶
3. Map the role to the user using following JSON format¶
Then I upload the role information using a JSON file. You need to know the role name and the role id.
As you see, you need to provide it in an array format.
[ {"id" : "4b409c9d-3512-4da5-aa28-15cbdf51f71c",
"name":"user"}
]
The bash script with CURL commands¶
The following bash script code contains a function I use within a bash script to configure the mapping for an existing user called alice to the role called user.
Major steps of the bash script:
- Set the needed parameter for the authorization
- Set the needed parameter for configuration of the mapping
- Execute the CURL command to request the access-token
- Execute the CURL command to request the
user id - Execute the CURL command to map the role information
- Verify upload
Link to the example code on GitHub.
function mapUserRoleKeycloak() {
echo "************************************"
echo " Map 'user' role to user alice in Keycloak"
echo "************************************"
# Set the needed parameter authorization
ADMINUSER=admin
PASSWORD=admin
GRANT_TYPE=password
CLIENT_ID=admin-cli
USER=alice
# Set the needed parameter for configuration
TENANT_B=tenantB
USERROLE=cns-tenantB-role.json
access_token=$( curl -d "client_id=$CLIENT_ID" -d "username=$ADMINUSER" -d "password=$PASSWORD" -d "grant_type=$GRANT_TYPE" "$KEYCLOAK_URL/auth/realms/master/protocol/openid-connect/token" | sed -n 's|.*"access_token":"\([^"]*\)".*|\1|p')
echo "Admin User : $ADMINUSER/$PASSWORD"
echo "Access token : $access_token"
# Get existing users and extract user id
USERID=$(curl -H "Content-Type: application/json" -H "Authorization: bearer $access_token" "$KEYCLOAK_URL/auth/admin/realms/$TENANT_B/users" | sed -n 's|.*"id":"\([^"]*\)".*|\1|p')
echo "------------------------------------------------------------------------"
echo "User ID for 'alice': $USERID"
echo "------------------------------------------------------------------------"
# Map role
result=$(curl -d @./$USERROLE -H "Content-Type: application/json" -H "Authorization: bearer $access_token" "$KEYCLOAK_URL/auth/admin/realms/$TENANT_B/users/$USERID/role-mappings/realm")
if [ "$result" = "" ]; then
echo "------------------------------------------------------------------------"
echo "The user: $USER roles are updated."
echo "Open following link in your browser:"
echo "$KEYCLOAK_URL/auth/admin/master/console/#/realms/$TENANT_B"
echo "------------------------------------------------------------------------"
else
echo "------------------------------------------------------------------------"
echo "It seems there is a problem with the user role mapping: $result"
echo "------------------------------------------------------------------------"
fi
}
Maybe these three blog posts are also useful for you in that context:
- How to create a new realm with the Keycloak REST API?
- Upload an user to Keycloak using CURL
- Simply logout from Keycloak
I hope this was useful for you and let’s see what’s next?
Greetings,
Thomas
#keycloak, #CURL, #bashscript
Thomas Suedbroecker's Blog 
im not able to get role id how can i get role and role id plz tell me..
LikeLike
Hi KV, based on your question I did small updates in the blog post. Maybe it helps to understand this in the context of blog post UPLOAD AN USER TO KEYCLOAK USING CURL https://suedbroecker.net/2021/07/16/upload-an-user-to-keycloak-using-curl/ and you should take a look at the Keycloak REST API “Get all roles for the realm or client” https://www.keycloak.org/docs-api/12.0/rest-api/#_roles_resource . I hope that helps and greetings Thomas
LikeLike
Hi,
How can I assign a realm role to a client (service account) using the rest api ? Please advise
LikeLike