Keycloak Admin API Rest Example: Get User

keycloak.sh

#!/bin/bash

# requires https://stedolan.github.io/jq/download/

# config
KEYCLOAK_URL=http://localhost:8080/auth
KEYCLOAK_REALM=realm
KEYCLOAK_CLIENT_ID=clientId
KEYCLOAK_CLIENT_SECRET=clientSecret
USER_ID=userId

export TKN=$(curl -X POST "${KEYCLOAK_URL}/realms/${KEYCLOAK_REALM}/protocol/openid-connect/token" \
 -H "Content-Type: application/x-www-form-urlencoded" \
 -d "username=${KEYCLOAK_CLIENT_ID}" \
 -d "password=${KEYCLOAK_CLIENT_SECRET}" \
 -d 'grant_type=password' \
 -d 'client_id=admin-cli' | jq -r '.access_token')

curl -X GET "${KEYCLOAK_URL}/admin/realms/${KEYCLOAK_REALM}/users/${$USER_ID}" \
-H "Accept: application/json" \
-H "Authorization: Bearer $TKN" | jq .

Is there any way to get the groups in the user detail response? The UserRepresentation definition has the groups field, but is not returned by the api:

 {'id': '314cfd91-dae1-40c1-9af9-5857c6531dc3',
  'createdTimestamp': 1600373234948,
  'username': '[email protected]',
  'enabled': True,
  'totp': False,
  'emailVerified': True,
  'firstName': 'Jeudy',
  'lastName': 'Blanco',
  'email': '[email protected]',
  'disableableCredentialTypes': [],
  'requiredActions': [],
  'notBefore': 0,
  'access': {'manageGroupMembership': True,
   'view': True,
   'mapRoles': True,
   'impersonate': True,
   'manage': True}}

@jijiechen Thanks man, you gave me a clue about my problem.

Untested! :)

Don't worry it works.

Is there any way to list all realm & client roles using Java?
For example:

 @GetMapping("/roles")
    public ResponseEntity<List<RoleRepresentation>> getRoles() {
        Keycloak keycloak = getKeycloakInstance();
        ClientRepresentation clientRepresentation = keycloak.realm(keycloakRealm).clients().findByClientId(keycloakClient).get(0);
        List<RoleRepresentation> roles = keycloak.realm(keycloakRealm).clients().get(clientRepresentation.getId()).roles().list();
        return ResponseEntity.ok(roles);
    }

Above code is to list all client roles. I want to list realm roles.

Thanks

If anyone like me will try this script on newer Keycloak and it does not work, see: https://stackoverflow.com/questions/70577004/keycloak-could-not-find-resource-for-full-path

Thank you!
It's worked for me

On keycloak 21.0.1 the following works for me:

#!/bin/bash

# requires https://stedolan.github.io/jq/download/

# config
KEYCLOAK_URL=http://localhost:8080 # NOTE: no /auth
KEYCLOAK_REALM=realm
KEYCLOAK_CLIENT_ID=clientId
KEYCLOAK_CLIENT_SECRET=clientSecret
USER_ID=userId

export TKN=$(curl -X POST "${KEYCLOAK_URL}/realms/${KEYCLOAK_REALM}/protocol/openid-connect/token" \
 -H "Content-Type: application/x-www-form-urlencoded" \
 -d "client_id=${KEYCLOAK_CLIENT_ID}" \
 -d "client_secret=${KEYCLOAK_CLIENT_SECRET}" \
 -d 'grant_type=client_credentials' | jq -r '.access_token')

curl -X GET "${KEYCLOAK_URL}/admin/realms/${KEYCLOAK_REALM}/users/${USER_ID}" \
-H "Accept: application/json" \
-H "Authorization: Bearer $TKN" | jq .

In the client config:
Client authentication: On
Direct access grants: On
Service account roles: On

Under "Service Account Roles" assign the manage-users role.

Raw HTTP format:

POST http://localhost:8080/realms/YOUR_REALM/protocol/openid-connect/token
Content-Type: application/x-www-form-urlencoded

grant_type=password&client_id=admin-cli&username=YOUR_USER&password=YOUR_PASSWORD

Example using defaults:

POST http://localhost:8080/realms/master/protocol/openid-connect/token
Content-Type: application/x-www-form-urlencoded

grant_type=password&client_id=admin-cli&username=admin&password=admin

Just as hint:

We had issues with passwords which contains non ASCII characters.

We were able to fix this by replacing:

-d "password=${KEYCLOAK_CLIENT_SECRET}" \

with

--data-urlencode "password=${KEYCLOAK_CLIENT_SECRET}" \