My application should know user's roles.
It has clientId/clientSecret pair. Probably, I even can enable service account for this client.
I found endpoint GET /{realm}/clients/{id}/roles/{role-name}/users
(doc)
But for using this endpoint service account must have realm-management/view-clients
(${role_view-clients}
) role.
Also, this role allows view secret of another clients.
But I don't want to leave an opportunity for this application to intrude to work of another clients, so getting this role comes with a lot of responsibility.
So, question:
How to get user's roles (my client's roles) in safe way?
I've used this script to play with REST Api:
KEYCLOAK_HOST=http://localhost:8080
KEYCLOAK_REALM=testrealm
KEYCLOAK_CLIENT_ID=testclient
KEYCLOAK_CLIENT_SECRET=0TNKx16HJ8ITwnh4wzJluzbAWPDn826m
KEYCLOAK_ROLE=testrole1
ACCESS_TOKEN=$(curl -X POST "${KEYCLOAK_HOST}/realms/${KEYCLOAK_REALM}/protocol/openid-connect/token" \
-d "client_id=${KEYCLOAK_CLIENT_ID}" \
-d "client_secret=${KEYCLOAK_CLIENT_SECRET}" \
-d 'grant_type=client_credentials' \
| jq -r '.access_token')
# list all clients
# curl -X GET "${KEYCLOAK_HOST}/admin/realms/${KEYCLOAK_REALM}/clients" \
# -H "Content-Type: application/json" \
# -H "Authorization: Bearer $ACCESS_TOKEN" \
# | jq .
# KEYCLOAK_CLIENT_UID=de077e77-a1b0-4d52-96c5-0e1a591bfbe0
KEYCLOAK_CLIENT_UID=$(curl -X GET "${KEYCLOAK_HOST}/admin/realms/${KEYCLOAK_REALM}/clients?clientId=${KEYCLOAK_CLIENT_ID}" \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $ACCESS_TOKEN" \
| jq -r '.[0].id')
# list users with specified role
curl -X GET "${KEYCLOAK_HOST}/admin/realms/${KEYCLOAK_REALM}/clients/${KEYCLOAK_CLIENT_UID}/roles/${KEYCLOAK_ROLE}/users" \
-H "Accept: application/json" \
-H "Authorization: Bearer $ACCESS_TOKEN" | jq .