英文:
Keycloak API: How to change associated client roles of a composite role
问题
我想要更改我的admin-sso
角色中的关联客户端角色。我可以更改关联的realm角色,但无法更改客户端角色。
假设我有一个客户端角色realm-management
,我想将角色manage-identity-provider
添加到关联角色中 - 通过API该如何操作?
我阅读了Keycloak 11.0 API文档,但找不到正确的路径。
我在下面的屏幕截图中展示了通过管理界面如何操作:
英文:
I want to change the associated client roles in my admin-sso
role. I can change the associated realm roles but not the client roles.
Let's say I have a client role realm-management
and I would like to add the role manage-identity-provider
to the associated roles - how can I do it via. API?
I read the Keycloak 11.0 API docs but don't find the right path.
I added a screenshot on how I can do it via admin UI
答案1
得分: 1
更新: 从Keycloak 17 Quarkus distribution开始,已移除/auth
路径。因此,可能需要从此答案中的终端调用中删除/auth
。
从高层次来看,你需要:
- 获取管理员访问令牌;
- 获取
realm-management客户端
的ID
;终端 GET /{realm}/clients - 获取
admin-sso
的ID
;终端 GET /realm/roles/{role-name} - 获取
manage-identity-providers
的信息;终端 GET /{realm}/clients/{id}/roles/{role-name} - 将
manage-identity-providers
角色分配给admin-sso
;终端 POST /{realm}/roles-by-id/{role-id}/composites
如果其他人感兴趣,我在我的GitHub仓库上上传了一个bash脚本,该脚本(其中之一)接受一个realm角色和一个客户端角色,并将客户端角色分配给realm角色。所以基本上它自动执行了我即将描述的步骤。
逐步进行
> 我阅读了Keycloak 11.0 API文档,但找不到正确的路径。
你需要调用Keycloak Admin REST API中的多个终端;要调用该API,你需要一个具有适当权限的用户的访问令牌。在这个答案中,我将使用master
realm中的admin
用户。
curl “https://${KEYCLOAK_HOST}/auth/realms/master/protocol/openid-connect/token” \
-d "client_id=admin-cli" \
-d "username=${ADMIN_NAME}” \
-d "password=${ADMIN_PASSWORD}" \
-d "grant_type=password"
你会得到一个包含管理员令牌的JSON响应。从该响应中提取属性access_token
的值。我们将它保存在名为$ACCESS_TOKEN
的变量中以备后用。
现在你需要获取客户端realm-management
的ID
。
curl -X GET https://$KEYCLOAK_IP/auth/admin/realms/$REALM_NAME/clients?clientId=realm-management \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $ACCESS_TOKEN"
从响应中提取客户端的ID
,例如,使用jq -r .[].id
。我们假设你将其保存在名为$ID_OF_CLIENT
的变量中。
接下来,你需要获取有关角色'admin-sso'的信息:
curl -X GET https://$KEYCLOAK_IP/auth/admin/realms/$REALM_NAME/roles/admin-sso \
-H "Content-Type: application/json" \
-H "Authorization: bearer $ACCESS_TOKEN"
从响应中提取角色的id
,例如,使用jq -r .id
。我们假设你将该内容保存在名为REALM_ROLE_ID
的变量中。
接下来,你需要获取有关manage-identity-providers
角色的信息,如下所示:
curl -X GET https://$KEYCLOAK_IP/auth/admin/realms/$REALM_NAME/clients/$ID_OF_CLIENT/roles/manage-identity-providers \
-H "Content-Type: application/json" \
-H "Authorization: bearer $ACCESS_TOKEN"
你将得到一个json响应,需要在下一次API调用中使用。现在,我们假设你将该内容保存在名为$ROLE_JSON
的变量中。
最后,你现在可以将manage-identity-providers
角色分配给admin-sso
角色。
curl -X POST https://$KEYCLOAK_IP/auth/admin/realms/$REALM_NAME/roles-by-id/$REALM_ROLE_ID/composites \
-H "Content-Type: application/json" \
-H "Authorization: bearer $ACCESS_TOKEN" \
-d "[$ROLE_JSON]"
英文:
Update: The /auth
path was removed starting with Keycloak 17 Quarkus distribution. So you might need to remove the /auth
from the endpoint calls presented on this answer.
From a high-level point of view you need to:
- Get admin access token;
- Get the
ID
of therealm-management client
; Endpoint GET /{realm}/clients - Get the
ID
of theadmin-sso
; Endpoint GET/realm/roles/{role-name} - Get the information about the
manage-identity-providers
; Endpoint GET /{realm}/clients/{id}/roles/{role-name} - Assign the role
manage-identity-providers
toadmin-sso
; Endpoint POST /{realm}/roles-by-id/{role-id}/composites
In case others are interested, I have uploaded a bash script on my GitHub repo that (among others) takes a realm role and a client role and assigns the client role to the realm role. So basically it automatizes the steps that I am about to describe.
Step-by-Step
> I read the Keycloak 11.0 API docs but don't find the right path.
You need to call several endpoints from the Keycloak Admin REST API; to call that API, you need an access token from a user with the proper permissions. In this answer, I will be using the admin
user from the master
realm.
curl “https://${KEYCLOAK_HOST}/auth/realms/master/protocol/openid-connect/token” \
-d "client_id=admin-cli" \
-d "username=${ADMIN_NAME}” \
-d "password=${ADMIN_PASSWORD}" \
-d "grant_type=password"
You get a JSON response with the admin's token. Extract the value of property access_token
from that response. Let us save it in the variable named $ACCESS_TOKEN
for later use.
Now you need to get the ID
of the client realm-management
curl -X GET https://$KEYCLOAK_IP/auth/admin/realms/$REALM_NAME/clients?clientId=realm-management \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $ACCESS_TOKEN"
From the response extract the ID
of the client, e.g., jq -r .[].id
. Let us say that you saved on a variable named $ID_OF_CLIENT
.
Next you need to get the information about the role 'admin-sso':
curl -X GET https://$KEYCLOAK_IP/auth/admin/realms/$REALM_NAME/roles/admin-sso \
-H "Content-Type: application/json" \
-H "Authorization: bearer $ACCESS_TOKEN"
From the response extract the role id
, e.g., jq -r .id
. Let us say that you save that content in the a variable named REALM_ROLE_ID
.
Next you need to get the information about the manage-identity-providers
role as follows:
curl -X GET https://$KEYCLOAK_IP/auth/admin/realms/$REALM_NAME/clients/$ID_OF_CLIENT/roles/manage-identity-providers \
-H "Content-Type: application/json" \
-H "Authorization: bearer $ACCESS_TOKEN"
You will get a json response that you need to use in the next API call. For now, let us assume that you save that content in a variable named $ROLE_JSON
.
Finally, you can now assign the manage-identity-providers
role to the admin-sso
role.
curl -X POST https://$KEYCLOAK_IP/auth/admin/realms/$REALM_NAME/roles-by-id/$REALM_ROLE_ID/composites \
-H "Content-Type: application/json" \
-H "Authorization: bearer $ACCESS_TOKEN" \
-d "[$ROLE_JSON]"
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论