Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-13223

realmRoles, clientRoles can't be set or modified via REST API

    Details

    • Steps to Reproduce:
      Hide

      Run above example with keycloak instance and realm already setup

      Show
      Run above example with keycloak instance and realm already setup
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      When creating or updating groups via the 9.0.0 REST API, setting realRoles and clientRoles doesn't work as expected. The following example will demonstrate this issue

      # Load .env variables into script
      if [ -f .env ]
      then
        set -o allexport
        source .env
        set +o allexport
      fi
      
      # Connection
      TOKEN_API="http://${KEYCLOAK_HOST}:${KEYCLOAK_PORT}/auth/realms/master/protocol/openid-connect/token";
      KEYCLOAK_API="http://${KEYCLOAK_HOST}:${KEYCLOAK_PORT}/auth/admin/realms/"
      
      # Get auth token
      export TKN=$(curl -X POST "$TOKEN_API" \
       -H "Content-Type: application/x-www-form-urlencoded" \
       -d "username=$KEYCLOAK_ADMIN" \
       -d "password=$KEYCLOAK_ADMIN_PASSWORD" \
       -d 'grant_type=password' \
       -d 'client_id=admin-cli' | jq -r '.access_token')
      
      # Create roles
      realm_role() {
        echo "Creating realm role: $1, $2";
        json='
        {
          "name": "'"$1"'",
          "description": "'"$2"'"
        }'
        echo $json | curl -s -X POST "${KEYCLOAK_API}${REALM}/roles" \
            -d @- \
            -H "Content-Type: application/json" \
            -H "Accept: application/json" \
            -H "Authorization: Bearer $TKN" | jq .
      }
      
      realm_role "test_role" "Some test role"
      realm_role "another_role" "Another test role"
      
      # Create group
      json='
      {
        "name": "groupTest",
        "realmRoles": ["test_role", "another_role"]
      }'
      echo $json | curl -s -X POST "${KEYCLOAK_API}${REALM}/groups" \
          -d @- \
          -H "Content-Type: application/json" \
          -H "Accept: application/json" \
          -H "Authorization: Bearer $TKN" | jq .
      
      NEW_GROUP_ID="..."
      
      # # debug group
      echo $json | curl -s -X GET "${KEYCLOAK_API}${REALM}/groups/$NEW_GROUP_ID" \
          -d @- \
          -H "Content-Type: application/json" \
          -H "Accept: application/json" \
          -H "Authorization: Bearer $TKN" | jq .
      
      # Example log. Notice realmRoles are empty :(
      # {
      #   "id": "38c43abe-3851-46f1-b80c-98c9c4faf434",
      #   "name": "groupTest",
      #   "path": "/groupTest",
      #   "attributes": {},
      #   "realmRoles": [],
      #   "clientRoles": {},
      #   "subGroups": [],
      #   "access": {
      #     "view": true,
      #     "manage": true,
      #     "manageMembership": true
      #   }
      # }
      

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                cramatt Matt Miller
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated: