Keycloak REST API 无法从用户角色映射中删除客户端级角色

Question

Hoping someone can help me on this. I've created my own Keycloak Realm, and client. I am using Spring boot and KeycloakRestTemplate from org.keycloak.adapters.springsecurity.client.KeycloakRestTemplate; to make all my calls.

I've been successful in adding client-level roles to the user role mapping to any given user.

I prefix my URI with /admin/realms/ when using the Keycloak API docs. So far all my requests have worked (getting a list of users from my client, getting a list of users that have a particular client-level role, and even adding client-level roles to a user as described above)

My problem is I cannot delete client-level roles from a user. I've looked at the keycloak docs and it looks like I've followed everything correctly. I also made sure the user had applicable client roles available to be deleted. I really appreciate any comments or help given!!

https://www.keycloak.org/docs-api/14.0/rest-api/index.html

"Delete client-level roles from user role mapping DELETE /{realm}/users/{id}/role-mappings/clients/{client}"

 import org.keycloak.adapters.springsecurity.client.KeycloakRestTemplate; . . . @Autowired private KeycloakRestTemplate restTemplate; . . . . . UriComponentsBuilder builder = UriComponentsBuilder.fromHttpUrl(keycloakServerUrl + "/admin/realms/"+keycloakRealm+"/users/"+userId+"/role-mappings/clients/"+keycloakClientId); this.restTemplate.postForEntity(builder.toUriString(), rolesList, List.class); // this works! Note: rolesList is an List<RoleRepresentation> object . . . this.restTemplate.delete(builder.toUriString(), rolesList); // Does not work!

URI: http://XXXXXXXXXXXXXXX:8180/auth/admin/realms/VLS/users/2144cc43-59f4-4406-9527-2a59ee0c3751/role-mappings/clients/53e659e1-7cef-4dbb-8cdd-b786ca3a44a4

Error when calling Delete API: org.springframework.web.client.HttpClientErrorException$UnsupportedMediaType: 415 Unsupported Media Type: [{"error":"RESTEASY003065: Cannot consume content type"}]

Edit 1: I have also given myself ALL available roles from all clients as a precaution beforehand. I understand some roles are needed to perform certain tasks even through the API. I've taken this into account.

Answer 1

KeycloakRestTemplate appears to inherit all of its methods directly from Spring's RestTemplate . According to the documentation for that class, the second argument to delete isn't a request body, as I think you're intending. Rather, it's a vararg of objects used to expand template variables in the URI.

There doesn't appear to be a variant of the delete method that allows you to supply a body, so you'll probably need to use one of the variants of the execute or exchange methods that accepts an HTTP method and a request entity instead. In fact, the RestTemplate API makes this quite difficult to do, because it's generally assumed that DELETE requests don't have bodies.

Answer 2

The alternate way to interact with Keycloak can be using the keycloak starter dependency and the keycloak admin client .

1. Add the dependencies mentioned above.

2. Configure the Keycloak admin user.

    public Keycloak getAdminKeycloakUser() { return KeycloakBuilder.builder() .serverUrl(keycloakAuthUrl) .grantType(OAuth2Constants.PASSWORD) .realm(masterRealm).clientId(masterClient) .username(adminUsername).password(adminPassword) .resteasyClient(new ResteasyClientBuilder().connectionPoolSize(10).build()) .build(); }

With this admin user we can delete the client user along with other actions.

getAdminKeycloakUser().realm(realm).clients().roles().deleteRole(roleName);