Keycloak API: How to change associated client roles of a composite role

I want to change the associated client roles in my admin-sso role. I can change the associated realm roles but not the client roles.

Let's say I have a client role realm-management and I would like to add the role manage-identity-provider to the associated roles - how can I do it via. API?

I read the Keycloak 11.0 API docs but don't find the right path.

I added a screenshot on how I can do it via admin UI

Update: The /auth path was removed starting with Keycloak 17 Quarkus distribution. So you might need to remove the /auth from the endpoint calls presented on this answer.

From a high-level point of view you need to:

• Get admin access token;
• Get the ID of the realm-management client; Endpoint GET /{realm}/clients
• Get the ID of the admin-sso; Endpoint GET/realm/roles/{role-name}
• Get the information about the manage-identity-providers; Endpoint GET /{realm}/clients/{id}/roles/{role-name}
• Assign the role manage-identity-providers to admin-sso; Endpoint POST /{realm}/roles-by-id/{role-id}/composites

In case others are interested, I have uploaded a bash script on my GitHub repo that (among others) takes a realm role and a client role and assigns the client role to the realm role. So basically it automatizes the steps that I am about to describe.

Step-by-Step

> I read the Keycloak 11.0 API docs but don't find the right path.

You need to call several endpoints from the Keycloak Admin REST API; to call that API, you need an access token from a user with the proper permissions. In this answer, I will be using the admin user from the master realm.

curl “https://${KEYCLOAK_HOST}/auth/realms/master/protocol/openid-connect/token” \
    -d "client_id=admin-cli" \
    -d "username=${ADMIN_NAME}” \
    -d "password=${ADMIN_PASSWORD}" \
    -d "grant_type=password"

You get a JSON response with the admin's token. Extract the value of property access_token from that response. Let us save it in the variable named $ACCESS_TOKEN for later use.

Now you need to get the ID of the client realm-management

curl -X GET https://$KEYCLOAK_IP/auth/admin/realms/$REALM_NAME/clients?clientId=realm-management \
            -H "Content-Type: application/json" \
            -H "Authorization: Bearer $ACCESS_TOKEN"

From the response extract the ID of the client, e.g., jq -r .[].id. Let us say that you saved on a variable named $ID_OF_CLIENT.

Next you need to get the information about the role 'admin-sso':

curl -X GET https://$KEYCLOAK_IP/auth/admin/realms/$REALM_NAME/roles/admin-sso \
     -H "Content-Type: application/json" \
     -H "Authorization: bearer $ACCESS_TOKEN"

From the response extract the role id, e.g., jq -r .id. Let us say that you save that content in the a variable named REALM_ROLE_ID.

Next you need to get the information about the manage-identity-providers role as follows:

curl -X GET https://$KEYCLOAK_IP/auth/admin/realms/$REALM_NAME/clients/$ID_OF_CLIENT/roles/manage-identity-providers \
     -H "Content-Type: application/json" \
     -H "Authorization: bearer $ACCESS_TOKEN"

You will get a json response that you need to use in the next API call. For now, let us assume that you save that content in a variable named $ROLE_JSON.

Finally, you can now assign the manage-identity-providers role to the admin-sso role.

curl -X POST https://$KEYCLOAK_IP/auth/admin/realms/$REALM_NAME/roles-by-id/$REALM_ROLE_ID/composites \
     -H "Content-Type: application/json" \
     -H "Authorization: bearer $ACCESS_TOKEN" \
     -d "[$ROLE_JSON]"