Unable to assign realm Role to a newly created Keycloak User via Admin REST API

Question

Step 1. Get Access Token:

curl --location --request POST 'https://localhost/auth/realms/master/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-url## Heading ##encoded' \
--data-urlencode 'username=*******' \
--data-urlencode 'password=*******' \a
--data-urlencode 'grant_type=*******' \
--data-urlencode 'client_id=*******'

Step 2. Create user and assign a role:

curl --location --request POST 'https://localhost/auth/admin/realms/MyRealm/users' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJKZFVORmNDU19rWjdvZ3ZFSkI4VXZpMTNRb2hKbnh2VW9oeVpieXg2Vld3In0.eyJqdGkiOiI4OGQ4Njk4NC04OGNjLTQzNzAtYWExMC00MTBkYWY5OGY0ODciLCJleHAiOjE1ODQ5NDA2MTYsIm5iZiI6MCwiaWF0IjoxNTg0OTQwNTU2LCJpc3MiOiJodHRwczovL2lkLmRldi1wcm90b24uaXRlcjIwMDQubGFiLmVoZWFsdGguZXhjaGFuZ2UvYXV0aC9yZWFsbXMvbWFzdGVyIiwic3ViIjoiYzI5YjQzMGItMWZlNC00NzJhLWFjYTMtMzgzYTkxNTNmM2RjIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiYWRtaW4tY2xpIiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiNzMyOGUyMDItNzQyZC00ZTdkLTgwMWUtY2UyNGQ1NWUyZDZjIiwiYWNyIjoiMSIsInNjb3BlIjoiZW1haWwgcHJvZmlsZSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWRtaW4ifQ.brCZauRzLeoAHvxtgJy6PYwZhbInVfbLA6HF7YHmwuGzoDoexj97P1s03r2G5bzYUkL93sejEFT5AkPeoZ0gpzHY3IsG3UF7Q9Qvk3t5c08CcAqOn4czhYYV91fwwBWMgTv4sQh0D-_bSq0OtI5g9Ojo0sHzxleYEUW8UYdFsQ_JvpOnZEM87CzUhBqsDDnQ4kPslOaaG2q5PPY3ccNKHexE0UkxjtOeUoIn6tdf-0Yqwc55JCMzWOZmt3pFqWKfm3-VZX5lT0UTL9ktrrLfFTIMfZb-Lmyp2g3_s_juUpkbgPpBPHgh6IGS6XaOnxgseq1Vz4h6pZ_A0O60Z8R5-w' \
--data-raw '{
  "username": "ayman",
  "enabled": true,
  "email": " aymanvirtual@gmail.com",
  "firstName": "ayman",
  "lastName": "ayman",
  "emailVerified":true,
  "credentials": [
    {
      "type": "password",
      "value": "ayman"
    }
  ],
  "realmRoles": [
    "test-role"
  ]
}'

Step 3. Get user details

curl --location --request GET 'https://localhost/auth/admin/realms/MyRealm/users/d3bbe900-c7b3-49c5-9414-28f9433d3fc1' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJKZFVORmNDU19rWjdvZ3ZFSkI4VXZpMTNRb2hKbnh2VW9oeVpieXg2Vld3In0.eyJqdGkiOiJkMjgzYzA2NS1hMmJjLTQwNDctOWQ0MC01NWI4Nzg5YmNkNGUiLCJleHAiOjE1ODQ5NTM2NDgsIm5iZiI6MCwiaWF0IjoxNTg0OTUzNTg4LCJpc3MiOiJodHRwczovL2lkLmRldi1wcm90b24uaXRlcjIwMDQubGFiLmVoZWFsdGguZXhjaGFuZ2UvYXV0aC9yZWFsbXMvbWFzdGVyIiwic3ViIjoiYzI5YjQzMGItMWZlNC00NzJhLWFjYTMtMzgzYTkxNTNmM2RjIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiYWRtaW4tY2xpIiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiNjhmYmQ1YWQtMTkwMC00MzgyLThiMmYtYjhlYjExOTA4YmFhIiwiYWNyIjoiMSIsInNjb3BlIjoiZW1haWwgcHJvZmlsZSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWRtaW4ifQ.KmWR31pAR4Tl3Mad7awvqeK8np3x5qaPL1tYWAPLDdYaT4nLzpGblmPOBNzYIaEdhs9iwGEmES5_VzrI4C7xUVsY-Zq4jl8iPYP7IawzqgXyrTVuvAO_DLdgdVRKidTT6I-Eh1F87AV14-pOf0GXQ4wnQl5qGl5S6XUTJkegx8eGCg5Qp-zAdHOkxvPL3KRtpgwJx5QCvce-1-wW5Fckk3a-61vXA-o9jUDnJGWTYUyAssVD8zRUs-hhAms1PoR4nW1tCd_9J7xiWmr2hN0-pHY-u5PjNlrxCyOx-3pkRzworZ9e2i0ff0x2dcivpzyDfqe__sdsLVQsiiD1S7ViHw'

Problem:
The user is successfully created but it is not assigned a role (realmRole). After some more research I found that this behaviour is due to a bug in keycloak API (stack overflow issue).

Is there any way to create a user and assign a realm role to it?

Update:

According to some answers, we can use role mappers API calls to map a role to a user. Documentation about those operations: https://www.keycloak.org/docs-api/6.0/rest-api/index.html#_role_mapper_resource

POST /{realm}/groups/{id}/role-mappings/realm

What are the groups in the above URL?

Answer 1

This url: POST /{realm}/groups/{id}/role-mappings/realm is used to assign a realm role to a group where {id} is the group id.

To assign a realm role to a user, use:

# Get the role lists
GET /{realm}/roles

# Get the user lists
GET /{realm}/users

# Assign your role to user
POST /{realm}/users/{userId}/role-mappings/realm
body :[{id: roleId, name: roleName]

your request could be:

curl --location --request POST 'https://localhost/auth/admin/realms/MyRealm/users/MyUserId/role-mappings/realm' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJKZFVORmNDU19rWjdvZ3ZFSkI4VXZpMTNRb2hKbnh2VW9oeVpieXg2Vld3In0.eyJqdGkiOiI4OGQ4Njk4NC04OGNjLTQzNzAtYWExMC00MTBkYWY5OGY0ODciLCJleHAiOjE1ODQ5NDA2MTYsIm5iZiI6MCwiaWF0IjoxNTg0OTQwNTU2LCJpc3MiOiJodHRwczovL2lkLmRldi1wcm90b24uaXRlcjIwMDQubGFiLmVoZWFsdGguZXhjaGFuZ2UvYXV0aC9yZWFsbXMvbWFzdGVyIiwic3ViIjoiYzI5YjQzMGItMWZlNC00NzJhLWFjYTMtMzgzYTkxNTNmM2RjIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiYWRtaW4tY2xpIiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiNzMyOGUyMDItNzQyZC00ZTdkLTgwMWUtY2UyNGQ1NWUyZDZjIiwiYWNyIjoiMSIsInNjb3BlIjoiZW1haWwgcHJvZmlsZSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWRtaW4ifQ.brCZauRzLeoAHvxtgJy6PYwZhbInVfbLA6HF7YHmwuGzoDoexj97P1s03r2G5bzYUkL93sejEFT5AkPeoZ0gpzHY3IsG3UF7Q9Qvk3t5c08CcAqOn4czhYYV91fwwBWMgTv4sQh0D-_bSq0OtI5g9Ojo0sHzxleYEUW8UYdFsQ_JvpOnZEM87CzUhBqsDDnQ4kPslOaaG2q5PPY3ccNKHexE0UkxjtOeUoIn6tdf-0Yqwc55JCMzWOZmt3pFqWKfm3-VZX5lT0UTL9ktrrLfFTIMfZb-Lmyp2g3_s_juUpkbgPpBPHgh6IGS6XaOnxgseq1Vz4h6pZ_A0O60Z8R5-w' \
-d '[
  {
        "id": "12345678-1234-5678-1234-567812345678",
        "name": "admin"
  }
]'

Answer 2

I've faced the same issue and corrected it by using a GROUP, Basically, I've added the preferred ROLE into the User Groups ROLE LIST and used that specific user group while creating the user via REST API.

Eg:- ADMIN_USER_GROUP -> INCLUDED ('ADMIN_ROLE')

Then User creation API Request should be like below,

{
    "firstName": "Sergey",
    "lastName": "Kargopolov",
    "email": "test4@test.com",
    "enabled": "true",
    "credentials": [
        {
            "value": "123"
        }
    ],
    "groups": [
        "ADMIN_USER_GROUP"
    ]
}