Problem in assigning roles to user while creating it with Post HTTP request

Question

I can successfully create user by calling the following path in Postman software:

http://{KEYCLOAK_IP}/auth/admin/realms/{REALM_NAME}/users

The body content that I send is like following:

{
    "enabled":true,
    "username":"Reza",
    "email":"reza@sampleMailServer1.com",
    "firstName":"Reza",
    "lastName":"Azad",
    "credentials": [
        {
        "type":"password",
        "value":"123",
        "temporary":false
    }
    ]
}

Now, let’s assume that we have a client, which is named browserApp and this client has a role, which is named borwserAppRoleUser. Also, the realm has a role, which is name realmRoleUser. In order to include abovementioned roles in the body content of the HTTP request I tried the following structure:

{
"enabled":true,
    "username":"Reza",
    "email":"reza@sampleMailServer1.com",
    "firstName":"Reza",
    "lastName":"Azad",
    "credentials": [
        {
        "type":"password",
        "value":"123",
        "temporary":false
    }
    ],
    "role": [
       {
           "id": "borwserAppRoleUser",
           "name": "test",
           "description": "${role_create-client}",
           "composite": false,
           "clientRole": true,
           "containerId": "browserApp"
       },
        {
            "id":"realmRoleUser",
            "composite":false,
            "clientRole":false
        }

    ]

}

Sending the above body content results in 400 bad request response. The errors contains this message:

Unrecognized field "role" (class org.keycloak.representations.idm.UserRepresentation), not marked as ignorable

Also, I am sure that the rest of the role object is not correct.

I searched for examples online, but I could not find any sample regarding the role assignment. Can any body please help me to fix this problem?

Answer 1

REST API not supports realm & client roles by single JSON data. It only support by Add Realm with JSON import

The simple JSON format is like this but it needs extra data. This is working example for Import Realm JSON data

{
    "id": "test",
    "realm": "test",
    "users": [
        {
            "enabled": true,
            "username": "Reza",
            "email": "reza@sampleMailServer1.com",
            "firstName": "Reza",
            "lastName": "Azad",
            "credentials": [
                {
                    "type": "password",
                    "value": "123",
                    "temporary": false
                }
            ],
            "realmRoles": [
                "user"
            ],
            "clientRoles": {
                "borwserAppRoleUser": [
                    "test"
                ]
            }
        }
    ],
    "scopeMappings": [
        {
            "client": "borwserAppRoleUser",
            "roles": [
                "test"
            ]
        }
    ],
    "client": {
        "borwserAppRoleUser": [
            {
                "name": "test",
                "description": "${role_create-client}"
            }
        ]
    },
    "roles": {
        "realm": [
            {
                "name": "user",
                "description": "Have User privileges"
            }
        ]
    }
}

If you want to assign user's realm role and client role, use separate API call.

#1 Assign user's realm role

POST {KEYCLOAK-IP}/auth/admin/realms/{REALM-NAME}/users/{USER-UUID}/role-mappings/realm

In Body of POST

[
    {
        "id": {REALM ROLE UUID},
        "name": {ROLE NAME},
        "composite": false,
        "clientRole": false,
        "containerId": {REALM NAME}
    }
]

1.1 Get master token - here

1.2 Get User UUID

1.3 Get Realm role UUID and name

1.4 POST realm role into user

#2 Assign user's client role

POST {KEYCLOAK-IP}/auth/admin/realms/{REALM-NAME}/users/{USER-UUID}/role-mappings/clients/{CLIENT-UUID}

In Body of POST

[
    {
        "id": {CLIENT ROLE ID},
        "name": {ROLE NAME},
        "description": "${role_create-client}",
        "composite": false,
        "clientRole": true,
        "containerId": {CLIENT-UUID}
    }
]

2.1 Get master token 2.2 Get user UUID - same 1.2 2.2 Get Client UUID

2.3 Get Client role UUID & name

2.4 POST client role into user

Finally confirm both assigned roles by this API

GET {KEYCLOAK-IP}/auth/admin/realms/{REALM-NAME}/users/{USER-UUID}/role-mappings