[keycloak-user] Keycloak Admin REST API not updating user.federatedIdentities attribute
Daniel Teixeira
ddtxra at gmail.com
Mon Aug 6 16:05:58 EDT 2018
Thanks again for your help Dmitry!
On Mon, Aug 6, 2018 at 10:57 AM, Dmitry Telegin <dt at acutus.pro> wrote:
> Hi Daniel,
>
> Some clarifications on the roles:
>
> > * view-profile - retrive the user profile (produces json)
> > * manage-account - management the account (produces html, and consumes
> forms)
>
> http://lists.jboss.org/pipermail/keycloak-dev/2013-November/000678.html
>
> So you can revoke manage-account, but leave view-profile, thus the user
> will be able to retrieve profile data as JSON.
>
> As the next step, you will need to deploy some UI to render that JSON.
> This could be a simple page, or you can borrow the whole "account"
> interface and turn it into a r/o version.
>
> Good luck!
> Dmitry
>
> On Fri, 2018-08-03 at 00:03 +0200, Daniel Teixeira wrote:
> > Hello Dmitry,
> > Yes you are completely right:
> > For the moment, our requirements is that that the user can see but not
> update the user fields in the account interface.
> > I have also tried to remove the role 'manage-account' for the user but
> keep the role 'view-profile'. But if I do this, the user gets a page that
> says "We are sorry, no access" if he tries to go to:
> {keycloakurl}/auth/realms/{realm-name}/account/
> > Do you have another suggestion?
> > Thanks very much for your help!
> > Daniel
> >
> >
> > > On Thu, Aug 2, 2018 at 2:36 AM, Dmitry Telegin <dt at acutus.pro> wrote:
> > > Hi Daniel,
> > >
> > > On Wed, 2018-08-01 at 11:32 +0200, Daniel Teixeira wrote:
> > > > Wonderful, thank you! I should have read better the docs.
> > > > Yes you remember correctly Dmitry, I am familiar with creating a
> custom module now :)
> > >
> > > You're welcome :)
> > >
> > > > Thanks for the trick with Firebug Marek. It will be useful in the
> future :) Actually I tried that trick, on the "account" interface, but the
> "account" interface does not use a rest api, correct?
> > >
> > > I hope Marek forgives me if I answer on his behalf :) well, Account
> actually uses REST endpoint, but it not a part of Admin REST API.
> > > The endpoint lives in org.keycloak.services.resources.account.AccountRestService
> (keycloak-services module), so you can examine it.
> > >
> > > > For example I don't want the user to update its password / firstName
> / lastName (because those fields come from LDAP) and I wanted to
> double-check if commenting / disabling those fields on custom ftl
> templates is enough or do I need to disable / comment something on the
> backend as well? On realm settings -> login. There is only the option "edit
> username", but no option for "edit firstName / edit lastName / edit
> password"....
> > >
> > > From the AccountRestService code we can deduce that there is no way
> ATM to selectively disable updating firstName / lastName / password.
> > >
> > > But do I get it right that you simply want a read-only version of the
> Account GUI? Then I think there is a solution for your case, let me know.
> > >
> > > Cheers,
> > > Dmitry Telegin
> > > CTO, Acutus s.r.o.
> > > Keycloak Consulting and Training
> > >
> > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > > +42 (022) 888-30-71
> > > E-mail: info at acutus.pro
> > >
> > > >
> > > >
> > > > > > > On Tue, Jul 31, 2018 at 10:38 PM, Dmitry Telegin <
> dt at acutus.pro> wrote:
> > > > > Hi Daniel,
> > > > >
> > > > > That's what you can do with federated identities currently:
> > > > >
> > > > > GET /auth/admin/realms/{realm}/users/{user}/federated-identity -
> list federated identities configured for the user
> > > > > POST /auth/admin/realms/{realm}/users/{user}/federated-identity/{provider}
> - create a new federated identity
> > > > > DELETE /auth/admin/realms/{realm}/users/{user}/federated-identity/{provider}
> - remove federated identity
> > > > >
> > > > > https://github.com/keycloak/keycloak/blob/master/services/
> src/main/java/org/keycloak/services/resources/admin/UserResource.java#L363
> > > > >
> > > > > Updating federated entities with PUT is not supported yet. Feel
> free to
> > > > > file an RFE in JIRA for that.
> > > > >
> > > > > Meanwhile, you can implement this missing piece as a custom REST
> > > > > resource and deploy it to your Keycloak. If I remember correctly,
> you
> > > > > should be already familiar with the process :)
> > > > >
> > > > > Good luck!
> > > > > Dmitry Telegin
> > > > > CTO, Acutus s.r.o.
> > > > > Keycloak Consulting and Training
> > > > >
> > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > > > > +42 (022) 888-30-71
> > > > > E-mail: info at acutus.pro
> > > > >
> > > > > On Tue, 2018-07-31 at 17:41 +0200, Daniel Teixeira wrote:
> > > > > > I would like to update (and ideally create) the
> federatedIdentities
> > > > > > attribute of a user using the Admin Rest API, but it seems like
> this does
> > > > > > not work / or it is not supported?
> > > > > >
> > > > > > I am able to update normal user attributes but not the
> federatedIdentities.
> > > > > >
> > > > > > Is this a bug or is it supposed to be like this?
> > > > > >
> > > > > > Is there a different way to do this? (Of course I could do an
> insert into,
> > > > > > in the database, but I would prefer to use the api...). I need
> to run this
> > > > > > for more than 200 users...
> > > > > >
> > > > > > My code:
> > > > > > https://github.com/ddtxra/python-console-keycloak-
> example/blob/master/admin-rest-api-update-user.py
> > > > > > _______________________________________________
> > > > > > keycloak-user mailing list
> > > > > > keycloak-user at lists.jboss.org
> > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Daniel Teixeira
> > >
> >
> >
> >
> > --
> > Daniel Teixeira
>
--
Daniel Teixeira
More information about the keycloak-user
mailing list