0

I'm trying to create a UMS that uses the Keycloak's REST API. Some users will be users and some other managers. To differentiate them, they'll belong to different groups and they'll inherit a different set of roles.

All of the users will have a custom attribute named locale. What I'm trying to achieve on this point, is every time a manager tries to fetch the list of users using the REST API ex. {{keycloak_url}}/admin/realms/{{realm}}/users only users with the same custom attribute locale should return.

example:

Complete list of users:

USERNAME LOCALE
manager1 en
manager2 fr
user1    en
user2    en
user3    fr

manager1 requests the users list expected result:

USERNAME LOCALE
manager1 en
user1    en
user2    en

manager2 requests the users list expected result:

USERNAME LOCALE
manager2 fr
user3    fr

Any suggestions on how to achieve this using Keycloak?

Thanks in advance.

Chris K
  • 347
  • 1
  • 3
  • 16

2 Answers2

2

Unfortunately, it's not possible. Keycloak does not provide such functionality because it is out of the scope of the SSO definition.

But you are free to implement a custom endpoint with filtering users by attribute locale taken from the manager's token.

You can find code here https://github.com/keycloak/keycloak/tree/master/examples/providers/domain-extension

Documentation

kurisu_makise_2011
  • 56
  • 2
0

You can obtain it with https://www.keycloak.org/docs-api/17.0/rest-api/index.html#_users_resource

putting "q" in the string, like this:

https://localhost/admin/realms/{realm}/users?q=locale:

This will return what you need.

saga56
  • 83
  • 7
  • Thank you for your answer. My initial question was about hitting the `{{keycloak_url}}/admin/realms/{{realm}}/users` api and filter by custom attribute on Keycloak's side without using the `q` parameter (mostly for security reasons). – Chris K Jun 06 '22 at 07:03