Map an existing user to a role in a Keycloak realm using CURL

In this blog post I want briefly show, how I implemented the mapping of a role to a user in Keycloak with CURL in a bash script.

The reason why I came across that topic, it was because I noticed that it wasn’t possible to upload a new user including the role information to the current realm.

I found that helpful stackoverflow entry (Keycloak – using admin API to add client role to user), but this stackoverflow entry didn’t contain the information: How to configure it for a pure realm role? At the end I found the related REST API documentation of Keycloak to extract the information.

Here are the major three steps I did.

1. Obtain the master realm admin access-token

First obtain the necessary admin access token from the master realm to be able to perform administration tasks in keycloak.

2. Get the user id of the user

3. Map the role to the user using following JSON format

Then I upload the role information using a JSON file. You need to know the role name and the role id.
As you see, you need to provide it in an array format.

[ {"id" : "4b409c9d-3512-4da5-aa28-15cbdf51f71c",
   "name":"user"}
]

The bash script with CURL commands

The following bash script code contains a function I use within a bash script to configure the mapping for an existing user called alice to the role called user.

Major steps of the bash script:

  • Set the needed parameter for the authorization
  • Set the needed parameter for configuration of the mapping
  • Execute the CURL command to request the access-token
  • Execute the CURL command to request the user id
  • Execute the CURL command to map the role information
  • Verify upload
function mapUserRoleKeycloak() {
    echo "************************************"
    echo " Map 'user' role to user alice in Keycloak"
    echo "************************************"

    # Set the needed parameter authorization
    ADMINUSER=admin
    PASSWORD=admin
    GRANT_TYPE=password
    CLIENT_ID=admin-cli
    USER=alice

    # Set the needed parameter for configuration
    TENANT_B=tenantB
    USERROLE=cns-tenantB-role.json

    access_token=$( curl -d "client_id=$CLIENT_ID" -d "username=$ADMINUSER" -d "password=$PASSWORD" -d "grant_type=$GRANT_TYPE" "$KEYCLOAK_URL/auth/realms/master/protocol/openid-connect/token" | sed -n 's|.*"access_token":"\([^"]*\)".*|\1|p')
    echo "Admin User : $ADMINUSER/$PASSWORD" 
    echo "Access token : $access_token"

    # Get existing users and extract user id
    USERID=$(curl -H "Content-Type: application/json" -H "Authorization: bearer $access_token" "$KEYCLOAK_URL/auth/admin/realms/$TENANT_B/users" | sed -n 's|.*"id":"\([^"]*\)".*|\1|p')
    echo "------------------------------------------------------------------------"
    echo "User ID for 'alice': $USERID"
    echo "------------------------------------------------------------------------"

    # Map role
    result=$(curl -d @./$USERROLE -H "Content-Type: application/json" -H "Authorization: bearer $access_token" "$KEYCLOAK_URL/auth/admin/realms/$TENANT_B/users/$USERID/role-mappings/realm")

    if [ "$result" = "" ]; then
    echo "------------------------------------------------------------------------"
    echo "The user: $USER roles are updated."
    echo "Open following link in your browser:"
    echo "$KEYCLOAK_URL/auth/admin/master/console/#/realms/$TENANT_B"
    echo "------------------------------------------------------------------------"
    else
    echo "------------------------------------------------------------------------"
    echo "It seems there is a problem with the user role mapping: $result"
    echo "------------------------------------------------------------------------"
    fi
}

Maybe these three blog posts are also useful for you in that context:


I hope this was useful for you and let’s see what’s next?

Greetings,

Thomas

#keycloak, #CURL, #bashscript

One thought on “Map an existing user to a role in a Keycloak realm using CURL

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.