英文:
How to get custom attributes for a user in Keycloak using the RESTful API?
问题
以下是已翻译的代码部分:
我认为这应该很简单,但我在文档中找不到它。
以下的curl命令:
curl \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $ACCESS_TOKEN" \
'https://$URL/auth/realms/$REALM/protocol/openid-connect/userinfo';
的结果是:
{
"sub": "8182...415",
"email_verified": true,
"name": "n.a. n.a.",
"groups": [],
"preferred_username": "foo@example.com",
"given_name": "n.a.",
"family_name": "n.a.",
"email": "foo@example.com"
}
如何获取用户的自定义属性?
英文:
I would assume this to be straight forward but I can't find it in the docs.
The following curl command:
curl \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $ACCESS_TOKEN" \
'https://$URL/auth/realms/$REALM/protocol/openid-connect/userinfo'
results in:
{
"sub": "8182...415",
"email_verified": true,
"name": "n.a. n.a.",
"groups": [],
"preferred_username": "foo@example.com",
"given_name": "n.a.",
"family_name": "n.a.",
"email": "foo@example.com"
}
How do I get the custom attributes for a user?
答案1
得分: 1
使用Keycloak Admin Rest API的get users端点,您可以获取用户属性:
GET /{realm}/users
使用查询参数,exact=true 和 username。
逐步说明:
您可以使用Keycloak Admin REST API获取此信息;要调用该API,您需要使用具有适当权限的用户的访问令牌。暂时,我将使用master领域的admin用户:
curl https://${KEYCLOAK_HOST}/auth/realms/master/protocol/openid-connect/token \
-d "client_id=admin-cli" \
-d "username=$ADMIN_NAME" \
-d "password=$ADMIN_PASSWORD" \
-d "grant_type=password"
您将获得管理员令牌的JSON响应。从该响应中提取属性access_token的值。让我们将其保存在变量$ACCESS_TOKEN中以备后用。
要从您的领域$REALM_NAME获取用户属性:
curl -X GET https://${KEYCLOAK_HOST}/auth/admin/realms/${REALM_NAME}/users/?username=${USERNAME}&exact=true \
-H "Content-Type: application/json" \
-H "Authorization: bearer $ACCESS_TOKEN"
从响应中提取用户attributes,例如如下所示:
jq -r .[].attributes
要通过userinfo端点检索自定义用户属性,您需要为用于认证用户的客户端创建协议映射器。
该映射器也可以使用Keycloak Admin Rest API创建。有关如何为用户属性创建协议映射器的更详细回答(包括针对旧和新的Keycloak API),请查看此SO答案。
或者,您可以按照以下方式通过Keycloak Admin UI执行,进入Keycloak:
- 选择您的
realm - 转到
clients - 选择适用于您用例的适当
client
(对于旧版Keycloak UI)
- 转到
Mappers - 单击
Create - 选择
Mapper Type为User Attribute - 用您的自定义用户属性填写
User Attribute字段 - 设置要添加到
userinfo端点 - 根据需要填写其余字段
- 单击
Save
(对于新版Keycloak UI)
- 转到选项卡
Client Scopes - 单击作用域<您的客户端的客户端ID> -dedicated(例如,我的示例中的test-dedicated)
- 单击
Configure a new mapper(或者,如果您以前已为此客户端创建过映射器,则单击Add Mapper>By configuration)
- 选择
User Attribute - 用您的自定义用户属性填写
User Attribute字段 - 设置要添加到
userinfo端点 - 根据需要填写其余字段
- 单击
Save
这足以使your custom user attribute能够从userinfo端点检索。
英文:
You can get the user attributes with the get users endpoint from Admin Rest API:
GET /{realm}/users
with the query parameters, exact=true and username.
Step-by-Step:
You can get that information using the Keycloak Admin REST API; to call that API, you need an access token from a user with the proper permissions. For now, I will be using the admin user from the master realm:
curl https://${KEYCLOAK_HOST}/auth/realms/master/protocol/openid-connect/token \
-d "client_id=admin-cli" \
-d "username=$ADMIN_NAME" \
-d "password=$ADMIN_PASSWORD" \
-d "grant_type=password"
You will get a JSON response with the admin's token. Extract the value of property access_token from that response. Let us save it in the variable $ACCESS_TOKEN for later reference.
To get the user attributes from your realm $REALM_NAME:
curl -X GET https://${KEYCLOAK_HOST}/auth/admin/realms/${REALM_NAME}/users/?username=${USERNAME}&exact=true \
-H "Content-Type: application/json" \
-H "Authorization: bearer $ACCESS_TOKEN"
From the response extract the user attributes for example as follows:
jq -r .[].attributes
To retrieve custom user attributes via the userinfo endpoint you need to create a protocol Mapper for the client used to authenticate the user.
That mapper can also be created with the Keycloak Admin rest API. For a more detailed answer on how to create Protocol Mappers for user-attributes (including for the old and new Keycloak APIs) please have a look at the this SO answer.
Or you can do it via Keycloak Admin UI as follows, in the Keycloak go to:
- Select your
realm - Go to
clients - Select the appropriate
clientfor your use-case
(For the OLD Keycloak UI)
- Go to
Mappers - Click
Create - Select
Mapper TypeasUser Attribute - Fill up the field
User Attributewith your custom user attribute - Set to be added to the
userinfoendpoint - Fill up the remaining fields, accordingly
- Click on
Save
(For the NEW Keycloak UI)
- Go to the tab
Client Scopes - Click on the scope <the client ID of your client>-dedicated (e.g., test-dedicated in my example)
- Click on
Configure a new mapper(orAdd Mapper>By configurationif you have already created mappers before for this client)
- Select
User Attribute - Fill up the field
User Attributewith your custom user attribute - Set to be added to the
userinfoendpoint - Fill up the remaining fields, accordingly
- Click on
Save
This is enough to enabled your custom user attribute to be retrieved from the userinfo endpoint
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论