How to add Keycloak realm role to group via REST API

Question

I want to assign the realm role "TEST_ROLE_123" to a group, I am using

PUT /admin/realms/ataccamaone/groups/{group-id}
{
"realmRoles":["TEST_ROLE_123"]
}

I got group-id from /admin/realms/ataccamaone/groups/

However I get the response 204 No Content and in the Keycloak console I do not see the assignment.

Answer 1

I tried to reproduce your problem and find that PUT /admin/realms/ataccamaone/groups/{group-id} can only edit group name.

Inspect into "Network" tab of browser, I see it uses another URL to map roles to groups. And steps to do this via Admin REST API are:

1. Obtain PAT as described in https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_protection_whatis_obtain_pat section

Following steps use this PAT as Bearer token (in "Authorization" header). I guess you've already got this.

2. Call GET http://localhost:8080/auth/admin/realms/realm1/roles to get list of roles, including their name and id values.

3. Call GET http://localhost:8080/auth/admin/realms/realm1/groups to get list of groups, including their ids

4. Call POST http://localhost:8080/auth/admin/realms/realm1/groups/{group-id}/role-mappings/realm with following body:

   [
     {
       "id": "9083cac3-4280-497d-b973-7713a5fb12b4",  // role-id
       "name": "secretary"   // role-name
     }
   ] 
   
   

5. Call DELETE with URL and body same as step 4 to remove roles from group.

Answer 2

I've faced same issue and corrected it with using a GROUP, Basically I've added the preferred ROLE into the User Groups ROLE LIST and used that specific user group while creating the user via REST API.

Eg:- ADMIN_USER_GROUP -> INCLUDED ('ADMIN_ROLE')

Then User creation API Request should be like below,

{
    "firstName": "Sergey",
    "lastName": "Kargopolov",
    "email": "test4@test.com",
    "enabled": "true",
    "credentials": [
        {
            "value": "123"
        }
    ],
    "groups": [
        "ADMIN_USER_GROUP"
    ]
}