Keycloak API: 如何更改复合角色的关联客户端角色

huangapple go评论73阅读模式
英文:

Keycloak API: How to change associated client roles of a composite role

问题

我想要更改我的admin-sso角色中的关联客户端角色。我可以更改关联的realm角色,但无法更改客户端角色。

假设我有一个客户端角色realm-management,我想将角色manage-identity-provider添加到关联角色中 - 通过API该如何操作?

我阅读了Keycloak 11.0 API文档,但找不到正确的路径。

我在下面的屏幕截图中展示了通过管理界面如何操作:

Keycloak API: 如何更改复合角色的关联客户端角色

英文:

I want to change the associated client roles in my admin-sso role. I can change the associated realm roles but not the client roles.

Let's say I have a client role realm-management and I would like to add the role manage-identity-provider to the associated roles - how can I do it via. API?

I read the Keycloak 11.0 API docs but don't find the right path.

I added a screenshot on how I can do it via admin UI

Keycloak API: 如何更改复合角色的关联客户端角色

答案1

得分: 1

更新:Keycloak 17 Quarkus distribution开始,已移除/auth路径。因此,可能需要从此答案中的终端调用中删除/auth

从高层次来看,你需要:


如果其他人感兴趣,我在我的GitHub仓库上上传了一个bash脚本,该脚本(其中之一)接受一个realm角色和一个客户端角色,并将客户端角色分配给realm角色。所以基本上它自动执行了我即将描述的步骤。


逐步进行

> 我阅读了Keycloak 11.0 API文档,但找不到正确的路径。

你需要调用Keycloak Admin REST API中的多个终端;要调用该API,你需要一个具有适当权限的用户的访问令牌。在这个答案中,我将使用master realm中的admin用户。

curl “https://${KEYCLOAK_HOST}/auth/realms/master/protocol/openid-connect/token” \
    -d "client_id=admin-cli" \
    -d "username=${ADMIN_NAME}\
    -d "password=${ADMIN_PASSWORD}" \
    -d "grant_type=password"

你会得到一个包含管理员令牌的JSON响应。从该响应中提取属性access_token的值。我们将它保存在名为$ACCESS_TOKEN的变量中以备后用。

现在你需要获取客户端realm-managementID

curl -X GET https://$KEYCLOAK_IP/auth/admin/realms/$REALM_NAME/clients?clientId=realm-management \
            -H "Content-Type: application/json" \
            -H "Authorization: Bearer $ACCESS_TOKEN"

从响应中提取客户端的ID例如,使用jq -r .[].id。我们假设你将其保存在名为$ID_OF_CLIENT的变量中。

接下来,你需要获取有关角色'admin-sso'的信息:

curl -X GET https://$KEYCLOAK_IP/auth/admin/realms/$REALM_NAME/roles/admin-sso \
     -H "Content-Type: application/json" \
     -H "Authorization: bearer $ACCESS_TOKEN"

从响应中提取角色的id例如,使用jq -r .id。我们假设你将该内容保存在名为REALM_ROLE_ID的变量中。

接下来,你需要获取有关manage-identity-providers角色的信息,如下所示:

curl -X GET https://$KEYCLOAK_IP/auth/admin/realms/$REALM_NAME/clients/$ID_OF_CLIENT/roles/manage-identity-providers \
     -H "Content-Type: application/json" \
     -H "Authorization: bearer $ACCESS_TOKEN"

你将得到一个json响应,需要在下一次API调用中使用。现在,我们假设你将该内容保存在名为$ROLE_JSON的变量中。

最后,你现在可以将manage-identity-providers角色分配给admin-sso角色。

curl -X POST https://$KEYCLOAK_IP/auth/admin/realms/$REALM_NAME/roles-by-id/$REALM_ROLE_ID/composites \
     -H "Content-Type: application/json" \
     -H "Authorization: bearer $ACCESS_TOKEN" \
     -d "[$ROLE_JSON]"
英文:

Update: The /auth path was removed starting with Keycloak 17 Quarkus distribution. So you might need to remove the /auth from the endpoint calls presented on this answer.


From a high-level point of view you need to:


In case others are interested, I have uploaded a bash script on my GitHub repo that (among others) takes a realm role and a client role and assigns the client role to the realm role. So basically it automatizes the steps that I am about to describe.


Step-by-Step

> I read the Keycloak 11.0 API docs but don't find the right path.

You need to call several endpoints from the Keycloak Admin REST API; to call that API, you need an access token from a user with the proper permissions. In this answer, I will be using the admin user from the master realm.

curl “https://${KEYCLOAK_HOST}/auth/realms/master/protocol/openid-connect/token” \
    -d "client_id=admin-cli" \
    -d "username=${ADMIN_NAME}\
    -d "password=${ADMIN_PASSWORD}" \
    -d "grant_type=password"

You get a JSON response with the admin's token. Extract the value of property access_token from that response. Let us save it in the variable named $ACCESS_TOKEN for later use.

Now you need to get the ID of the client realm-management

curl -X GET https://$KEYCLOAK_IP/auth/admin/realms/$REALM_NAME/clients?clientId=realm-management \
            -H "Content-Type: application/json" \
            -H "Authorization: Bearer $ACCESS_TOKEN"

From the response extract the ID of the client, e.g., jq -r .[].id. Let us say that you saved on a variable named $ID_OF_CLIENT.

Next you need to get the information about the role 'admin-sso':

curl -X GET https://$KEYCLOAK_IP/auth/admin/realms/$REALM_NAME/roles/admin-sso \
     -H "Content-Type: application/json" \
     -H "Authorization: bearer $ACCESS_TOKEN"

From the response extract the role id, e.g., jq -r .id. Let us say that you save that content in the a variable named REALM_ROLE_ID.

Next you need to get the information about the manage-identity-providers role as follows:

curl -X GET https://$KEYCLOAK_IP/auth/admin/realms/$REALM_NAME/clients/$ID_OF_CLIENT/roles/manage-identity-providers \
     -H "Content-Type: application/json" \
     -H "Authorization: bearer $ACCESS_TOKEN"

You will get a json response that you need to use in the next API call. For now, let us assume that you save that content in a variable named $ROLE_JSON.

Finally, you can now assign the manage-identity-providers role to the admin-sso role.

curl -X POST https://$KEYCLOAK_IP/auth/admin/realms/$REALM_NAME/roles-by-id/$REALM_ROLE_ID/composites \
     -H "Content-Type: application/json" \
     -H "Authorization: bearer $ACCESS_TOKEN" \
     -d "[$ROLE_JSON]"

huangapple
  • 本文由 发表于 2023年3月7日 19:54:24
  • 转载请务必保留本文链接:https://go.coder-hub.com/75661660.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定