I would like to update (and ideally create) the federatedIdentities attribute of a user using the Admin Rest API, but it seems like this does not work / or it is not supported? I am able to update normal user attributes but not the federatedIdentities. Is this a bug or is it supposed to be like this? Is there a different way to do this? (Of course I could do an insert into, in the database, but I would prefer to use the api...). I need to run this for more than 200 users... My code: https://github.com/ddtxra/python-console-keycloak-example/blob/master/adm... _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

Hi Daniel, That's what you can do with federated identities currently: GET /auth/admin/realms/{realm}/users/{user}/federated-identity - list federated identities configured for the user POST /auth/admin/realms/{realm}/users/{user}/federated-identity/{provider} - create a new federated identity DELETE /auth/admin/realms/{realm}/users/{user}/federated-identity/{provider} - remove federated identity https://github.com/keycloak/keycloak/blob/master/services/ src/main/java/org/keycloak/services/resources/admin/UserResource.java#L363 Updating federated entities with PUT is not supported yet. Feel free to file an RFE in JIRA for that. Meanwhile, you can implement this missing piece as a custom REST resource and deploy it to your Keycloak. If I remember correctly, you should be already familiar with the process :) Good luck! Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info(a)acutus.pro On Tue, 2018-07-31 at 17:41 +0200, Daniel Teixeira wrote: > I would like to update (and ideally create) the federatedIdentities > attribute of a user using the Admin Rest API, but it seems like this does > not work / or it is not supported? > > I am able to update normal user attributes but not the federatedIdentities. > > Is this a bug or is it supposed to be like this? > > Is there a different way to do this? (Of course I could do an insert into, > in the database, but I would prefer to use the api...). I need to run this > for more than 200 users... > > My code: > https://github.com/ddtxra/python-console-keycloak- example/blob/master/admin-rest-api-update-user.py > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user

Hi Daniel, On Wed, 2018-08-01 at 11:32 +0200, Daniel Teixeira wrote: > Wonderful, thank you! I should have read better the docs. > Yes you remember correctly Dmitry, I am familiar with creating a custom module now :) You're welcome :) > Thanks for the trick with Firebug Marek. It will be useful in the future :) Actually I tried that trick, on the "account" interface, but the "account" interface does not use a rest api, correct? I hope Marek forgives me if I answer on his behalf :) well, Account actually uses REST endpoint, but it not a part of Admin REST API. The endpoint lives in org.keycloak.services.resources.account.AccountRestService (keycloak-services module), so you can examine it. > For example I don't want the user to update its password / firstName / lastName (because those fields come from LDAP) and I wanted to double-check if commenting / disabling those fields on custom ftl templates is enough or do I need to disable / comment something on the backend as well? On realm settings -> login. There is only the option "edit username", but no option for "edit firstName / edit lastName / edit password".... From the AccountRestService code we can deduce that there is no way ATM to selectively disable updating firstName / lastName / password. But do I get it right that you simply want a read-only version of the Account GUI? Then I think there is a solution for your case, let me know. Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info(a)acutus.pro > > > > On Tue, Jul 31, 2018 at 10:38 PM, Dmitry Telegin <dt(a)acutus.pro&gt; wrote: > > Hi Daniel, > > > > That's what you can do with federated identities currently: > > > > GET /auth/admin/realms/{realm}/users/{user}/federated-identity - list federated identities configured for the user > > POST /auth/admin/realms/{realm}/users/{user}/federated-identity/{provider} - create a new federated identity > > DELETE /auth/admin/realms/{realm}/users/{user}/federated-identity/{provider} - remove federated identity > > > > https://github.com/keycloak/keycloak/blob/master/services/ src/main/java/org/keycloak/services/resources/admin/UserResource.java#L363 > > > > Updating federated entities with PUT is not supported yet. Feel free to > > file an RFE in JIRA for that. > > > > Meanwhile, you can implement this missing piece as a custom REST > > resource and deploy it to your Keycloak. If I remember correctly, you > > should be already familiar with the process :) > > > > Good luck! > > Dmitry Telegin > > CTO, Acutus s.r.o. > > Keycloak Consulting and Training > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > +42 (022) 888-30-71 > > E-mail: info(a)acutus.pro > > > > On Tue, 2018-07-31 at 17:41 +0200, Daniel Teixeira wrote: > > > I would like to update (and ideally create) the federatedIdentities > > > attribute of a user using the Admin Rest API, but it seems like this does > > > not work / or it is not supported? > > > > > > I am able to update normal user attributes but not the federatedIdentities. > > > > > > Is this a bug or is it supposed to be like this? > > > > > > Is there a different way to do this? (Of course I could do an insert into, > > > in the database, but I would prefer to use the api...). I need to run this > > > for more than 200 users... > > > > > > My code: > > > https://github.com/ddtxra/python-console-keycloak- example/blob/master/admin-rest-api-update-user.py > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user(a)lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > -- > Daniel Teixeira

Hi Daniel, Some clarifications on the roles: > * view-profile - retrive the user profile (produces json) > * manage-account - management the account (produces html, and consumes forms) http://lists.jboss.org/pipermail/keycloak-dev/2013-November/000678.html So you can revoke manage-account, but leave view-profile, thus the user will be able to retrieve profile data as JSON. As the next step, you will need to deploy some UI to render that JSON. This could be a simple page, or you can borrow the whole "account" interface and turn it into a r/o version. Good luck! Dmitry On Fri, 2018-08-03 at 00:03 +0200, Daniel Teixeira wrote: > Hello Dmitry, > Yes you are completely right: > For the moment, our requirements is that that the user can see but not update the user fields in the account interface. > I have also tried to remove the role 'manage-account' for the user but keep the role 'view-profile'. But if I do this, the user gets a page that says "We are sorry, no access" if he tries to go to: {keycloakurl}/auth/realms/{realm-name}/account/ > Do you have another suggestion? > Thanks very much for your help! > Daniel > > > > On Thu, Aug 2, 2018 at 2:36 AM, Dmitry Telegin <dt(a)acutus.pro&gt; wrote: > > Hi Daniel, > > > > On Wed, 2018-08-01 at 11:32 +0200, Daniel Teixeira wrote: > > > Wonderful, thank you! I should have read better the docs. > > > Yes you remember correctly Dmitry, I am familiar with creating a custom module now :) > > > > You're welcome :) > > > > > Thanks for the trick with Firebug Marek. It will be useful in the future :) Actually I tried that trick, on the "account" interface, but the "account" interface does not use a rest api, correct? > > > > I hope Marek forgives me if I answer on his behalf :) well, Account actually uses REST endpoint, but it not a part of Admin REST API. > > The endpoint lives in org.keycloak.services.resources.account.AccountRestService (keycloak-services module), so you can examine it. > > > > > For example I don't want the user to update its password / firstName / lastName (because those fields come from LDAP) and I wanted to double-check if commenting / disabling those fields on custom ftl templates is enough or do I need to disable / comment something on the backend as well? On realm settings -> login. There is only the option "edit username", but no option for "edit firstName / edit lastName / edit password".... > > > > From the AccountRestService code we can deduce that there is no way ATM to selectively disable updating firstName / lastName / password. > > > > But do I get it right that you simply want a read-only version of the Account GUI? Then I think there is a solution for your case, let me know. > > > > Cheers, > > Dmitry Telegin > > CTO, Acutus s.r.o. > > Keycloak Consulting and Training > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > +42 (022) 888-30-71 > > E-mail: info(a)acutus.pro > > > > > > > > > > > > > > On Tue, Jul 31, 2018 at 10:38 PM, Dmitry Telegin < dt(a)acutus.pro&gt; wrote: > > > > Hi Daniel, > > > > > > > > That's what you can do with federated identities currently: > > > > > > > > GET /auth/admin/realms/{realm}/users/{user}/federated-identity - list federated identities configured for the user > > > > POST /auth/admin/realms/{realm}/users/{user}/federated-identity/{provider} - create a new federated identity > > > > DELETE /auth/admin/realms/{realm}/users/{user}/federated-identity/{provider} - remove federated identity > > > > > > > > https://github.com/keycloak/keycloak/blob/master/services/ src/main/java/org/keycloak/services/resources/admin/UserResource.java#L363 > > > > > > > > Updating federated entities with PUT is not supported yet. Feel free to > > > > file an RFE in JIRA for that. > > > > > > > > Meanwhile, you can implement this missing piece as a custom REST > > > > resource and deploy it to your Keycloak. If I remember correctly, you > > > > should be already familiar with the process :) > > > > > > > > Good luck! > > > > Dmitry Telegin > > > > CTO, Acutus s.r.o. > > > > Keycloak Consulting and Training > > > > > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > > > +42 (022) 888-30-71 > > > > E-mail: info(a)acutus.pro > > > > > > > > On Tue, 2018-07-31 at 17:41 +0200, Daniel Teixeira wrote: > > > > > I would like to update (and ideally create) the federatedIdentities > > > > > attribute of a user using the Admin Rest API, but it seems like this does > > > > > not work / or it is not supported? > > > > > > > > > > I am able to update normal user attributes but not the federatedIdentities. > > > > > > > > > > Is this a bug or is it supposed to be like this? > > > > > > > > > > Is there a different way to do this? (Of course I could do an insert into, > > > > > in the database, but I would prefer to use the api...). I need to run this > > > > > for more than 200 users... > > > > > > > > > > My code: > > > > > https://github.com/ddtxra/python-console-keycloak- example/blob/master/admin-rest-api-update-user.py > > > > > _______________________________________________ > > > > > keycloak-user mailing list > > > > > keycloak-user(a)lists.jboss.org > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > > > > > > > -- > > > Daniel Teixeira > > > > > > -- > Daniel Teixeira