2

Hi I use Keycloak API to get users with status enabled GET /auth/admin/realms/Test/users?enabled=true

Receives users that are not on the user card in Keycloak

for example: [ {"username": "service-account-test" ...}, {"username": "service-account-test2" ...} ]

How to get rid of it?

dreamcrash
  • 47,137
  • 25
  • 94
  • 117
mati2762
  • 43
  • 4

2 Answers2

3

The users with the prefix service-account- are automatically created by Keycloak for each client that has the OAuth2 flow client credentials enabled, which is represented in Keycloak with the option Service Accounts Enabled.

Therefore, you can query for the list of clients using the endpoint:

GET /{realm}/clients

filter to only get the clients with the field "serviceAccountsEnabled" set to true.

Then you can use that list to filter the users that you do not want, knowing that those users will have the name service-account-clientID where clientID is the clientID of the clients with the service account enabled.

dreamcrash
  • 47,137
  • 25
  • 94
  • 117
1

Just use a blacklist to reduce the returned userlist. The endpoint doesn't support any negated lookup logic (see the endpoint specification).

Example:

Map<String,String> users = /* from rest API - map only as example /*
String[] blacklist = {"service-account-test", "service-account-test2"};
for(String blacklistEntry : blacklist) users.remove(blacklistEntry);

The runtime effect on this should be negligible at best.

maio290
  • 6,440
  • 1
  • 21
  • 38
  • @dreamcrash You're totally right, my mistake. I'll edit this part out, the solution however should be unaffected by this! – maio290 Apr 20 '21 at 13:04
  • And what if I do not know what services-* will be created in a different environment – mati2762 Apr 20 '21 at 13:08
  • But i can create user with this prefix – mati2762 Apr 20 '21 at 13:12
  • 1
    It really depends on how you actually handle the API's response. You could however query the clients once and then generate the blacklist in a singleton on application startup (i don't know though whether that's a legit use case for you or not!). For the username problem, you could force to use e-mails as username (if it makes sense for your application) and then just query the `users` endpoint for `email=@` and `exact=false`. – maio290 Apr 20 '21 at 13:16
  • @maio290 users with @ in the name would probably solve the problem, but I don't have such users, generating a blacklist when starting the application does not solve my problem – mati2762 Apr 20 '21 at 13:26