"Service Account Role" section using the Keycloak Admin REST API

Question

I want to assign a custom role (ca_boarding_administrator_role) in the "Service Account Role" section using the Keycloak Admin REST API.

My client (cq-boarding-client) has the access type "confidential".

My goal is to have it available in the access_token under the realm_access.roles claim.

This documentation describes how to accomplish this in using the web UI. In my case I am trying to automate using the Admin REST API: https://www.keycloak.org/docs/latest/server_admin/index.html#_service_accounts

Answer 1

By taking a closer look at the Keycloak Resource Models I realized that for each confidential Client also a User is created. By adding the desired role to the realmRoles attribute of the User does the trick.

In case anybody is interested, I included my nodejs script to automate it: service-account-role-mappings.js

For additional reference:

• https://github.com/keycloak/keycloak-nodejs-admin-client
• https://www.keycloak.org/docs-api/11.0/rest-api/index.html#_userrepresentation