Managing users in Keycloak can be done manually via the admin console (if you are running it locally, it can be found on http://localhost:8080/auth). If you have an LDAP service somewhere, you could also integrate that and manage the users via that. In this blog post, we’ll examine a simple way to manage users programmatically.
We could use the Admin REST API directly but I am feeling lazy today. Luckily Keycloak provides a handy but not yet well documented client for this API.
Simply add a dependency to your Maven pom.xml (or build.gradle if you prefer):
<dependency> <groupId>org.keycloak</groupId> <artifactId>keycloak-admin-client</artifactId> <version>1.4.0.Final</version> </dependency>
We can now use the Keycloak client to access the admin functions. In this example, we’ll add users to the master realm. First we would have to log into the realm with a user that actually has the proper roles. Default, there is already a security-admin-console client defined which we simply reuse here. You can of course define your own client if you prefer. Currently, Keycloak requires a user with the role admin to be able to create new users so again, we’ll use the default admin user.
Keycloak kc = Keycloak.getInstance( "http://localhost:8080/auth", "master", // the realm to log in to "admin", "password", // the user "security-admin-console");
Now, we can access the API and create a new user:
CredentialRepresentation credential = new CredentialRepresentation(); credential.setType(CredentialRepresentation.PASSWORD); credential.setValue("test123"); UserRepresentation user = new UserRepresentation(); user.setUsername("testuser"); user.setFirstName("Test"); user.setLastName("User"); user.setCredentials(Arrays.asList(credential)); kc.realm("master").users().create(user);
That’s it! Well…Not exactly. Since if you try to login with this user you’ll find that you’ll get a 400 Bad Request. That is because the user is disabled by default. This is easily fixed by setting user.setEnabled(true).
While we are at it, we also need to consider how to communicate this new account to the actual user. If you are going to e-mail the username and password to the end-user, you probably would like to require them to reset the password upon first login. This is the default but it can be changed by setting credential.setTemporary(false). You probably need to assign some realm or client roles as well using user.setRealmRoles() and user.setClientRoles().
There’s also support for searching and editing users. For example, you can do something like:
UserResource userResource = kc.realm("master").users().get("f20f524f-02f6-4465-bc7c-947f1ee9c3df"); UserRepresentation user = userResource.toRepresentation(); user.setFirstName("Some"); user.setLastName("Body"); userResource.update(user);[box type=”info”] As said in the intro, the admin client isn’t heavily documented (yet) and sometimes a bit rough around the edges. Just make sure you are using the same version number at the client as well as at the server. Since Keycloak is being actively developed, new properties can be added between versions. If you are running into serialization problems, you are probably using a different version for the client.[/box]