- Introduction
- How to use
- Customization
- Supported APIs
- Attack Detection
- Authentication Management
- Client Attribute Certificate
- Client Initial Access
- Client Registration Policy
- Client Role Mappings
- Client Scopes
- Clients
- Component
- Groups
- Identity Providers
- Key
- Protocol Mappers
- Realms Admin
- Role Mapper
- Roles
- Roles (by ID)
- Scope Mappings
- User Storage Provider
- Users
- Root
This is a php client to connect to keycloak admin rest apis with no headache.
Features:
- Easy to use
- No need to get token or generate it - it's already handled by the client
- No need to specify any urls other than the base uri
- No encode/decode for json just data as you expect
Works with Keycloak 7.0+ admin REST API.
https://www.keycloak.org/documentation -> "Administration REST API"
$client = Keycloak\Admin\KeycloakClient::factory([
'realm' => 'master',
'username' => 'admin',
'password' => '1234',
'client_id' => 'admin-cli',
'baseUri' => 'http://127.0.0.1:8180',
]);
Since version 0.30, if your Keycloak base URL starts with auth/
, add it to baseUri
(e.g. http://127.0.0.1:8180/auth/). Base URL for Keycloak versions 7 to 16 have systematically auth/
. On Keycloak 17+ it depends on your settings.
$client->getUsers();
//Result
// Array of users
/*
[
[
"id" => "39839a9b-de08-4d2c-b91a-a6ce2595b1f3",
"createdTimestamp" => 1571663375749,
"username" => "admin",
"enabled" => true,
"totp" => false,
"emailVerified" => false,
"disableableCredentialTypes" => [
"password",
],
"requiredActions" => [],
"notBefore" => 0,
"access" => [
"manageGroupMembership" => true,
"view" => true,
"mapRoles" => true,
"impersonate" => true,
"manage" => true,
],
],
]
*/
$client->createUser([
'username' => 'test',
'email' => 'test@test.com',
'enabled' => true,
'credentials' => [
[
'type'=>'password',
'value'=>'1234',
],
],
]);
It is possible to change the credential's type used to authenticate by changing the configuration of the keycloak client.
Currently, the following credentials are supported
- password credentials, used by default
- to authenticate with a user account
$client = Keycloak\Admin\KeycloakClient::factory([ ... 'grant_type' => 'password', 'username' => 'admin', 'password' => '1234', ]);
- client credentials
- to authenticate with a client service account
$client = Keycloak\Admin\KeycloakClient::factory([ ... 'grant_type' => 'client_credentials', 'client_id' => 'admin-cli', 'client_secret' => '84ab3d98-a0c3-44c7-b532-306f222ce1ff', ]);
It is possible to inject Guzzle client middleware
in the keycloak client configuration using the middlewares
keyword.
For example:
use GuzzleHttp\Middleware;
use Psr\Http\Message\RequestInterface;
$client = Keycloak\Admin\KeycloakClient::factory([
...
'middlewares' => [
// throws exceptions when request fails
Middleware::httpErrors(),
// other custom middlewares
Middleware::mapRequest(function (RequestInterface $request) {
return $request;
}),
],
]);
By default, the token is saved at runtime. This means that the previous token is not used when creating a new client.
You can customize how the token is stored in the client configuration by implementing your own TokenStorage
,
an interface which describes how the token is stored and retrieved.
class CustomTokenStorage implements TokenStorage
{
public function getToken()
{
// TODO
}
public function saveToken(array $token)
{
// TODO
}
}
$client = Keycloak\Admin\KeycloakClient::factory([
...
'token_storage' => new CustomTokenStorage(),
]);
It is possible to inject Guzzle Service Operations
in the keycloak client configuration using the custom_operations
keyword. This way you can extend the built-in supported endpoints with custom.
$client = KeycloakClient::factory([
...
'custom_operations' => [
'getUsersByAttribute' => [
'uri' => '/auth/realms/{realm}/userapi-rest/users/search-by-attr',
'description' => 'Get users by attribute Returns a list of users, filtered according to query parameters',
'httpMethod' => 'GET',
'parameters' => [
'realm' => [
'location' => 'uri',
'description' => 'The Realm name',
'type' => 'string',
'required' => true,
],
'attr' => [
'location' => 'query',
'type' => 'string',
'required' => true,
],
'value' => [
'location' => 'query',
'type' => 'string',
'required' => true,
],
],
],
]
]);
API | Function Name | Supported |
---|---|---|
Clear any user login failures for all users This can release temporary disabled users | clearAllLoginFailures | ✔️ |
Get status of a username in brute force detection | getBruteForceUserStatus | ✔️ |
Clear any user login failures for the user This can release temporary disabled user | clearUserLoginFailures | ✔️ |
API | Function Name | Supported |
---|---|---|
Get authenticator providers Returns a list of authenticator providers. | getAuthenticatorProviders | ✔️ |
Get client authenticator providers Returns a list of client authenticator providers. | getClientAuthenticatorProviders | ✔️ |
Get authenticator provider’s configuration description | getAuthenticatorConfigInfo | ✔️ |
Get authenticator configuration | getAuthenticatorConfig | ✔️ |
Update authenticator configuration | updateAuthenticatorConfig | ✔️ |
Delete authenticator configuration | deleteAuthenticatorConfig | ✔️ |
Add new authentication execution | createAuthenticationExecution | ✔️ |
Get Single Execution | getAuthenticationExecution | ✔️ |
Delete execution | deleteAuthenticationExecution | ✔️ |
Update execution with new configuration | updateAuthenticationExecution | ✔️ |
Lower execution’s priority | lowerAuthenticationExecutionPriority | ✔️ |
Raise execution’s priority | raiseAuthenticationExecutionPriority | ✔️ |
Create a new authentication flow | createAuthenticationFlow | ✔️ |
Get authentication flows Returns a list of authentication flows. | getAuthenticationFlows | ✔️ |
Copy existing authentication flow under a new name The new name is given as 'newName' attribute of the passed JSON object | copyAuthenticationFlow | ✔️ |
Get authentication executions for a flow | getAuthenticationFlowExecutions | ✔️ |
Update authentication executions for a flow | updateAuthenticationFlowExecutions | ✔️ |
Add new authentication execution to a flow | createAuthenticationFlowExecution | ✔️ |
Add new flow with new execution to existing flow | addAuthenticationFlowExecution | ✔️ |
Get authentication flow for id | getAuthenticationFlow | ✔️ |
Update authentication flow for id | updateAuthenticationFlow | ✔️ |
Delete an authentication flow | deleteAuthenticationFlow | ✔️ |
Get form action providers Returns a list of form action providers. | getFormActionProviders | ✔️ |
Get form providers Returns a list of form providers. | getFormProviders | ✔️ |
Get configuration descriptions for all clients | getClientsConfigDescriptions | ✔️ |
Register a new required actions | createRequiredAction | ✔️ |
Get required actions Returns a list of required actions. | getRequiredActions | ✔️ |
Get required action for alias | getAliasRequiredAction | ✔️ |
Update required action | updateRequiredAction | ✔️ |
Delete required action | deleteRequiredAction | ✔️ |
Lower required action’s priority | lowerRequiredActionPriority | ✔️ |
Raise required action’s priority | raiseRequiredActionPriority | ✔️ |
Get unregistered required actions Returns a list of unregistered required actions. | getUnregisteredRequiredActions | ✔️ |
API | Function Name | Supported |
---|---|---|
Get key info (try with attr = "jwt.credential") | getClientKeyInfo | ✔️ |
Get a keystore file for the client, containing private key and public certificate (note: write response content to a file) | getClientKeyStore | ✔️ |
Generate a new certificate with new key pair | generateClientCertificate | ✔️ |
Generate a new keypair and certificate, and get the private key file Generates a keypair and certificate and serves the private key in a specified keystore format. | generateDownloadClientCertificate | ✔️ |
Upload certificate and eventually private key | uploadClientCertificateAndPrivateKey | ✔️ |
Upload only certificate, not private key | uploadClientCertificateOnly | ✔️ |
API | Function Name | Supported |
---|---|---|
Create a new initial access token. | createClientInitialAccessToken | ✔️ |
GET /{realm}/clients-initial-access | getClientInitialAccessTokens | ✔️ |
DELETE /{realm}/clients-initial-access/{id} | deleteClientInitialAccessToken | ✔️ |
API | Function Name | Supported |
---|---|---|
Base path for retrieve providers with the configProperties properly filled | getClientRegistrationPolicyProviders | ✔️ |
API | Function Name | Supported |
---|---|---|
Add client-level roles to the group role mapping | addGroupClientRoleMappings | ✔️ |
Get client-level role mappings for the group, and the app | getGroupClientRoleMappings | ✔️ |
Delete client-level roles from group role mapping | deleteGroupClientRoleMappings | ✔️ |
Get available client-level roles that can be mapped to the group | getAvailableGroupClientRoleMappings | ✔️ |
Get effective client-level role mappings This recurses any composite roles for groups | getGroupClientRoleMappingsWithComposite | ✔️ |
Add client-level roles to the user role mapping | addUserClientRoleMappings | ✔️ |
Get client-level role mappings for the user, and the app | getUserClientRoleMappings | ✔️ |
Delete client-level roles from user role mapping | deleteUserClientRoleMappings | ✔️ |
Get available client-level roles that can be mapped to the user | getAvailableUserClientRoleMappings | ✔️ |
Get effective client-level role mappings This recurses any composite roles for users | getUserClientRoleMappingsWithComposite | ✔️ |
API | Function Name | Supported |
---|---|---|
Create a new client scope Client Scope’s name must be unique! | createClientScope | ✔️ |
Get client scopes belonging to the realm Returns a list of client scopes belonging to the realm | getClientScopes | ✔️ |
Get representation of the client scope | getClientScope | ✔️ |
Update the client scope | updateClientScope | ✔️ |
Delete the client scope | deleteClientScope | ✔️ |
API | Function Name | Supported |
---|---|---|
Create a new client Client’s client_id must be unique! | createClient | ✔️ |
Get clients belonging to the realm Returns a list of clients belonging to the realm | getClients | ✔️ |
Get representation of the client | getClient | ✔️ |
Update the client | updateClient | ✔️ |
Delete the client | deleteClient | ✔️ |
Generate a new secret for the client | generateClientSecret | ✔️ |
Get the client secret | getClientSecret | ✔️ |
Get default client scopes. | getClientDefaultScopes | ✔️ |
Set client scope as default scope | setClientScopeAsDefault | ✔️ |
Remove client scope from default scopes | removeClientScopeAsDefault | ✔️ |
Create JSON with payload of example access token | getClientExampleAccessToken | ✔️ |
Return list of all protocol mappers, which will be used when generating tokens issued for particular client. | getClientProtocolMappers | ✔️ |
Get effective scope mapping of all roles of particular role container, which this client is defacto allowed to have in the accessToken issued for him. | getClientAllowedRoleMappingsInContainer | ✔️ |
Get roles, which this client doesn’t have scope for and can’t have them in the accessToken issued for him. | getClientNotAllowedRoleMappingsInContainer | ✔️ |
Generate client adapter configuration takes one of these (keycloak-oidc-keycloak-json, keycloak-oidc-jboss-subsystem-cli, keycloak-oidc-jboss-subsystem, keycloak-saml, keycloak-saml-subsystem-cli, keycloak-saml-subsystem) | getClientInstallationConfiguration | ✔️ |
Return object stating whether client Authorization permissions have been initialized or not and a reference | getClientAuthorizationPermissionsStatus | ✔️ |
Update client Authorization permissions initialization and a reference | updateClientAuthorizationPermissionsStatus | ✔️ |
Register a cluster node with the client Manually register cluster node to this client - usually it’s not needed to call this directly as adapter should handle by sending registration request to Keycloak | registerClientClusterNode | ✔️ |
Unregister a cluster node from the client | unregisterClientClusterNode | ✔️ |
Get application offline session count Returns a number of offline user sessions associated with this client { "count": number } | getClientOfflineSessionsCount | ✔️ |
Get offline sessions for client Returns a list of offline user sessions associated with this client | getClientOfflineSessions | ✔️ |
Get optional client scopes. | getClientOptionalScopes | ✔️ |
Assign client optional scope | assignClientOptionalScope | ✔️ |
remove client optional scope assignment | unassignClientOptionalScope | ✔️ |
Push the client’s revocation policy to its admin URL If the client has an admin URL, push revocation policy to it. | pushClientRevocationPolicy | ✔️ |
Generate a new registration access token for the client | generateClientRegistrationToken | ✔️ |
Get a user dedicated to the service account | getServiceAccountDedicatedUser | ✔️ |
Get application session count Returns a number of user sessions associated with this client { "count": number } | getClientSessionsCount | ✔️ |
Test if registered cluster nodes are available Tests availability by sending 'ping' request to all cluster nodes. | testClientNodesAvailability | ✔️ |
Get user sessions for client Returns a list of user sessions associated with this client | getClientSessions | ✔️ |
API | Function Name | Supported |
---|---|---|
Create new component | createComponent | ✔️ |
Get components | getComponents | ✔️ |
Get component | getComponent | ✔️ |
Update component | updateComponent | ✔️ |
Delete component | deleteComponent | ✔️ |
List of subcomponent types that are available to configure for a particular parent component. | getComponentSubTypes | ✔️ |
API | Function Name | Supported |
---|---|---|
create or add a top level realm groupSet or create child. | createGroup | ✔️ |
Get group hierarchy. | getGroups | ✔️ |
Returns the groups counts. | getGroupsCount | ✔️ |
Get Group | getGroup | ✔️ |
Get Group Children (subgroups) | getGroupChildren | ✔️ |
Update group, ignores subgroups. | updateGroup | ✔️ |
Delete Group | removeGroup | ✔️ |
Set or create child. | createChildGroup | ✔️ |
Return object stating whether client Authorization permissions have been initialized or not and a reference | getGroupManagementPermissions | ✔️ |
Return object stating whether client Authorization permissions have been initialized or not and a reference | updateGroupManagementPermissions | ✔️ |
Get users Returns a list of users, filtered according to query parameters | getGroupMembers | ✔️ |
API | Function Name | Supported |
---|---|---|
Import identity provider from uploaded JSON file | importIdentityProvider | ✔️ |
Create a new identity provider | createIdentityProvider | ✔️ |
Get identity providers | getIdentityProviders | ✔️ |
Get the identity provider | getIdentityProvider | ✔️ |
Update the identity provider | updateIdentityProvider | ✔️ |
Delete the identity provider | deleteIdentityProvider | ✔️ |
Export public broker configuration for identity provider | exportIdentityProviderBrokerConfig | ✔️ |
Return object stating whether client Authorization permissions have been initialized or not and a reference | getIdentityProviderManagementPermissions | ✔️ |
Return object stating whether client Authorization permissions have been initialized or not and a reference | updateIdentityProviderManagementPermissions | ✔️ |
Get mapper types for identity provider (Keycloak gives exception report it) | getIdentityProviderMapperTypes | ✔️ |
Add a mapper to identity provider | createIdentityProviderMapper | ✔️ |
Get mappers for identity provider | getIdentityProviderMappers | ✔️ |
Get mapper by id for the identity provider | getIdentityProviderMapper | ✔️ |
Update a mapper for the identity provider (not working for some reason gives Null Pointer Exception) | updateIdentityProviderMapper | ✔️ |
Delete a mapper for the identity provider | deleteIdentityProviderMapper | ✔️ |
Get identity providers | getIdentityProviderById | ✔️ |
API | Function Name | Supported |
---|---|---|
Get Realm keys | getRealmKeys | ✔️ |
Note: Ids are sent as clientScopeId or clientId and mapperId everything else is just as the keycloak documentation
API | Function Name | Supported |
---|---|---|
Create multiple mappers | createClientScopeProtocolMappers | ✔️ |
Create a mapper | createClientScopeProtocolMapper | ✔️ |
Get mappers | getClientScopeProtocolMappers | ✔️ |
Get mapper by id | getClientScopeProtocolMapperById | ✔️ |
Update the mapper | updateClientScopeProtocolMapper | ✔️ |
Delete the mapper | deleteClientScopeProtocolMapper | ✔️ |
Get mappers by name for a specific protocol | getClientScopeProtocolMappersByProtocolName | ✔️ |
Create multiple mappers | createClientProtocolMappers | ✔️ |
Create a mapper | createClientProtocolMapper | ✔️ |
Get mappers | getClientProtocolMappers | ✔️ |
Get mapper by id | getClientProtocolMapperById | ✔️ |
Update the mapper | updateClientProtocolMapper | ✔️ |
Delete the mapper | deleteClientProtocolMapper | ✔️ |
Get mappers by name for a specific protocol | getClientProtocolMappersByProtocolName | ✔️ |
API | Function Name | Supported |
---|---|---|
Get accessible realms Returns a list of accessible realms. The list is filtered based on what realms the caller is allowed to view. | getRealms | ✔️ |
Import a realm Imports a realm from a full representation of that realm. | importRealm | ✔️ |
Get the top-level representation of the realm It will not include nested information like User and Client representations. | getRealm | ✔️ |
Update the top-level information of the realm Any user, roles or client information in the representation will be ignored. | updateRealm | ✔️ |
Delete the realm | deleteRealm | ✔️ |
Get admin events Returns all admin events, or filters events based on URL query parameters listed here | getAdminEvents | ✔️ |
Delete all admin events | deleteAdminEvents | ✔️ |
Clear cache of external public keys (Public keys of clients or Identity providers) | clearExternalPublicKeysCache | ✔️ |
Clear realm cache | clearRealmCache | ✔️ |
Clear user cache | clearUserCache | ✔️ |
Base path for importing clients under this realm. | importClient | ✔️ |
Get client session stats Returns a JSON map. | getClientsSessionStats | ✔️ |
GET /{realm}/credential-registrators | getCredentialRegistrators | ✔️ |
Get realm default client scopes. | getDefaultClientScopes | ✔️ |
PUT /{realm}/default-default-client-scopes/{clientScopeId} | setScopeAsDefaultClientScope | ✔️ |
DELETE /{realm}/default-default-client-scopes/{clientScopeId} | unsetScopeAsDefaultClientScope | ✔️ |
Get group hierarchy. | getDefaultGroupHierarchy | ✔️ |
PUT /{realm}/default-groups/{groupId} | setGroupAsDefaultGroup | ✔️ |
DELETE /{realm}/default-groups/{groupId} | unsetGroupAsDefaultGroup | ✔️ |
Get realm optional client scopes. | getOptionalClientScopes | ✔️ |
PUT /{realm}/default-optional-client-scopes/{clientScopeId} | setScopeAsOptionalClientScope | ✔️ |
DELETE /{realm}/default-optional-client-scopes/{clientScopeId} | unsetScopeAsOptionalClientScope | ✔️ |
Get events Returns all events, or filters them based on URL query parameters listed here | getAllEvents | ✔️ |
Delete all events | deleteAllEvents | ✔️ |
Get the events provider configuration Returns JSON object with events provider configuration | getEventsConfig | ✔️ |
Update the events provider Change the events provider and/or its configuration | updateEventsConfig | ✔️ |
Get user group by path | getGroupByPath | ✔️ |
GET /{realm}/localization | getLocalizationLocales | ✔️ |
POST /{realm}/localization/{locale} | updateLocalizationTexts | ✔️ |
GET /{realm}/localization/{locale} | getLocalizationTexts | ✔️ |
DELETE /{realm}/localization/{locale} | deleteLocalizationTexts | ✔️ |
GET /{realm}/localization/{locale}/{key} | getLocalizationText | ✔️ |
PUT /{realm}/localization/{locale}/{key} | saveLocalizationText | ✔️ |
Removes all user sessions. (Keycloak throws an exception when this one is called) | logoutAllUsers | ❌ |
Partial export of existing realm into a JSON file. | partialExportRealm | ✔️ |
Partial import from a JSON file to an existing realm. | partialImportRealm | ✔️ |
Push the realm’s revocation policy to any client that has an admin url associated with it. (Keycloak throws an exception when this one is called) | pushRevocationPolicy | ❌ |
Remove a specific user session. | revokeUserSession | ✔️ |
Test LDAP connection | testLDAPConnection | ✔️ |
Test SMTP connection with current logged in user | testSMTPConnection | ✔️ |
Get User Management Permissions | getUserManagementPermissions | ✔️ |
Update User Management Permissions | updateUserManagementPermissions | ✔️ |
API | Function Name | Supported |
---|---|---|
Get role mappings | getGroupRoleMappings | ✔️ |
Add realm-level role mappings to the group | addGlobalRolesToGroup | ✔️ |
Get realm-level role mappings | getGroupRealmRoleMappings | ✔️ |
Delete realm-level role mappings | deleteGroupRealmRoleMappings | ✔️ |
Get realm-level roles that can be mapped | getAvailableGroupRealmRoleMappings | ✔️ |
Get effective realm-level role mappings This will recurse all composite roles to get the result. | getEffectiveGroupRealmRoleMappings | ✔️ |
Get role mappings | getUserRoleMappings | ✔️ |
Add realm-level role mappings to the user | addGlobalRolesToUser | ✔️ |
Get realm-level role mappings | getUserRealmRoleMappings | ✔️ |
Delete realm-level role mappings | deleteUserRealmRoleMappings | ✔️ |
Get realm-level roles that can be mapped | getAvailableUserRealmRoleMappings | ✔️ |
Get effective realm-level role mappings This will recurse all composite roles to get the result. | getEffectiveUserRealmRoleMappings | ✔️ |
API | Function Name | Supported |
---|---|---|
Create a new role for the realm or client (Client Specific) | createClientRole | ✔️ |
Get all roles for the realm or client (Client Specific) | getClientRoles | ✔️ |
Get a role by name (Client Specific) | getClientRole | ✔️ |
Update a role by name (Client Specific) | updateClientRole | ✔️ |
Delete a role by name (Client Specific) | deleteClientRole | ✔️ |
Add a composite to the role (Client Specific) | addCompositeRoleToClientRole | ✔️ |
Get composites of the role (Client Specific) | getClientRoleCompositeRoles | ✔️ |
Remove roles from the role’s composite (Client Specific) | deleteCompositeRoleFromClientRole | ✔️ |
An app-level roles for the specified app for the role’s composite (Client Specific) | getClientRoleCompositeRolesForClient | ✔️ |
Get realm-level roles of the role’s composite (Client Specific) | getClientRoleCompositeRolesForRealm | ✔️ |
Return List of Groups that have the specified role name (Client Specific) | getClientRoleGroups | ✔️ |
Return object stating whether role Authoirzation permissions have been initialized or not and a reference (Client Specific) | getClientRoleManagementPermissions | ✔️ |
Update object stating whether role Authoirzation permissions have been initialized or not and a reference (Client Specific) | updateClientRoleManagementPermissions | ✔️ |
Return List of Users that have the specified role name (Client Specific) | getClientRoleUsers | ✔️ |
Create a new role for the realm or client | createRealmRole | ✔️ |
Get all roles for the realm or client | getRealmRoles | ✔️ |
Get a role by name | getRealmRole | ✔️ |
Update a role by name | updateRealmRole | ✔️ |
Delete a role by name | deleteRealmRole | ✔️ |
Add a composite to the role | addCompositeRoleToRealmRole | ✔️ |
Get composites of the role | getRealmRoleCompositeRoles | ✔️ |
Remove roles from the role’s composite | deleteCompositeRoleFromRealmRole | ✔️ |
An app-level roles for the specified app for the role’s composite | getRealmRoleCompositeRolesForClient | ✔️ |
Get realm-level roles of the role’s composite | getRealmRoleCompositeRolesForRealm | ✔️ |
Return List of Groups that have the specified role name | getRealmRoleGroups | ✔️ |
Return object stating whether role Authoirzation permissions have been initialized or not and a reference | getRealmRoleManagementPermissions | ✔️ |
Update object stating whether role Authoirzation permissions have been initialized or not and a reference | updateRealmRoleManagementPermissions | ✔️ |
Return List of Users that have the specified role name | getRealmRoleUsers | ✔️ |
API | Function Name | Supported |
---|---|---|
Get a specific role’s representation | getRealmRoleById | ✔️ |
Update the role | updateRealmRoleById | ✔️ |
Delete the role | deleteRealmRoleById | ✔️ |
Make the role a composite role by associating some child roles | addCompositeRoleToRealmRoleByRoleId | ✔️ |
Get role’s children Returns a set of role’s children provided the role is a composite. | getRealmRoleCompositeRolesByRoleId | ✔️ |
Remove a set of roles from the role’s composite | deleteCompositeRoleFromRealmRoleByRoleId | ✔️ |
Get client-level roles for the client that are in the role’s composite | getRealmRoleCompositeRolesForClientByRoleId | ✔️ |
Get realm-level roles that are in the role’s composite | getRealmRoleCompositeRolesForRealmByRoleId | ✔️ |
Return object stating whether role Authoirzation permissions have been initialized or not and a reference | getRealmRoleManagementPermissionsByRoleId | ✔️ |
Return object stating whether role Authoirzation permissions have been initialized or not and a reference | updateRealmRoleManagementPermissionsByRoleId | ✔️ |
API | Function Name | Supported |
---|---|---|
Get all scope mappings for the client | ❌ | |
Add client-level roles to the client’s scope | ❌ | |
Get the roles associated with a client’s scope Returns roles for the client. | ❌ | |
Remove client-level roles from the client’s scope. | ❌ | |
The available client-level roles Returns the roles for the client that can be associated with the client’s scope | ❌ | |
Get effective client roles Returns the roles for the client that are associated with the client’s scope. | ❌ | |
Add a set of realm-level roles to the client’s scope | ❌ | |
Get realm-level roles associated with the client’s scope | ❌ | |
Remove a set of realm-level roles from the client’s scope | ❌ | |
Get realm-level roles that are available to attach to this client’s scope | ❌ | |
Get effective realm-level roles associated with the client’s scope What this does is recurse any composite roles associated with the client’s scope and adds the roles to this lists. | ❌ | |
Get all scope mappings for the client | ❌ | |
Add client-level roles to the client’s scope | ❌ | |
Get the roles associated with a client’s scope Returns roles for the client. | ❌ | |
Remove client-level roles from the client’s scope. | ❌ | |
The available client-level roles Returns the roles for the client that can be associated with the client’s scope | ❌ | |
Get effective client roles Returns the roles for the client that are associated with the client’s scope. | ❌ | |
Add a set of realm-level roles to the client’s scope | ❌ | |
Get realm-level roles associated with the client’s scope | ❌ | |
Remove a set of realm-level roles from the client’s scope | ❌ | |
Get realm-level roles that are available to attach to this client’s scope | ❌ | |
Get effective realm-level roles associated with the client’s scope What this does is recurse any composite roles associated with the client’s scope and adds the roles to this lists. | ❌ |
API | Function Name | Supported |
---|---|---|
Need this for admin console to display simple name of provider when displaying client detail KEYCLOAK-4328 | ❌ | |
Need this for admin console to display simple name of provider when displaying user detail KEYCLOAK-4328 | ❌ | |
Remove imported users | ❌ | |
Trigger sync of users Action can be "triggerFullSync" or "triggerChangedUsersSync" | ❌ | |
Unlink imported users from a storage provider | ❌ | |
Trigger sync of mapper data related to ldap mapper (roles, groups, …) direction is "fedToKeycloak" or "keycloakToFed" | ❌ |
API | Function Name | Supported |
---|---|---|
Create a new user Username must be unique. | createUser | ✔️ |
Get users Returns a list of users, filtered according to query parameters | getUsers | ✔️ |
GET /{realm}/users/count | getUserCount | ✔️ |
Get representation of the user | getUser | ️️️✔️ |
Update the user | updateUser | ️️️✔️ |
Delete the user | deleteUser | ️️️✔️ |
Get consents granted by the user | ️✔️ | |
Revoke consent and offline tokens for particular client from user | ❌ | |
Disable all credentials for a user of a specific type | ❌ | |
Send a update account email to the user An email contains a link the user can click to perform a set of required actions. | executeActionsEmail | ✔️ |
Get social logins associated with the user | ✔️ | |
Add a social login provider to the user | ✔️ | |
Remove a social login provider from user | ✔️ | |
GET /{realm}/users/{id}/groups | getUserGroups | ✔️ |
GET /{realm}/users/{id}/groups/count | getUserGroupsCount | ✔️ |
PUT /{realm}/users/{id}/groups/{groupId} | addUserToGroup | ✔️ |
DELETE /{realm}/users/{id}/groups/{groupId} | deleteUserFromGroup | ✔️ |
Impersonate the user | impersonateUser | ✔️ |
Remove all user sessions associated with the user Also send notification to all clients that have an admin URL to invalidate the sessions for the particular user. | logoutUser | ✔️ |
Get offline sessions associated with the user and client | ❌ | |
Remove TOTP from the user | ❌ | |
Set up a new password for the user. | resetUserPassword | ✔️ |
Send an email-verification email to the user An email contains a link the user can click to verify their email address. | sendVerifyEmail | ✔️ |
Get sessions associated with the user | getUserSessions | ✔️ |
Get credentials associated with the user | getUserCredentials | ✔️ |
Delete credential associated with the user | deleteUserCredential | ✔️ |
API | Function Name | Supported |
---|---|---|
Get themes, social providers, auth providers, and event listeners available on this server | ❌ | |
CORS preflight | ❌ |