keycloak

Keycloak: How to enable unmanagedAttributePolicy over REST API?

since Keycloak v24 custom UserAttributes are not turned on by default (https://github.com/keycloak/keycloak/issues/9889). The options are explained here: https://www.keycloak.org/docs/latest/server_admin/#_understanding-managed-and-unmanaged-attributes

I use the Python3 Keycloak Module (https://pypi.org/project/python-keycloak/) to communicate with the keycloak REST API. However, when creating a realm, I cannot set the UnmanagedAttributePolicy to enable these custom user attributes and the official documentation is rather lacking (https://www.keycloak.org/docs-api/24.0.1/rest-api/index.html#UnmanagedAttributePolicy).

Does anyone know how to to this? Thanks in advance!

Solution

  • In the python-keycloak has no profile API but you can do it by raw_put() (PUT REST API)

    And profile PUT's payload has previous attributes too. So I call GET API first, add unmanaged attribute then call PUT API.

    Demo

    from keycloak import KeycloakOpenIDConnection, KeycloakAdmin
import json

keycloak_connection = KeycloakOpenIDConnection(
                        server_url='http://localhost:8080',
                        username='admin',
                        password='admin',
                        realm_name='master',
                        client_id='admin-cli',
                        verify=True
)
keycloak_admin = KeycloakAdmin(connection=keycloak_connection)

keycloak_admin.change_current_realm('my-realm')

current = keycloak_admin.get_current_realm()
print('current realm : ' + current)

# Get current profile
profile_url = 'http://localhost:8080/admin/realms/my-realm/users/profile'
profiles = keycloak_connection.raw_get(profile_url)
attributes = profiles.json()['attributes']

# Add unmanaged Attribute
attributes.append({
      'name': 'custom',
      'displayName': '${custom}',
      'validations': {'length': {'max': 255}},
      'annotations': {},
      'permissions': { 'view': ['admin'], 'edit': ['admin', 'user'] },
      'multivalued': False
    })

# new profile's payload
new_profiles = {
  'attributes' : attributes,
  'groups': profiles.json()['groups'],
  'unmanagedAttributePolicy':'ENABLED' # 'ADMIN_VIEW', 'ADMIN_EDIT'
}

# Update profile
result = keycloak_connection.raw_put(profile_url,json.dumps(new_profiles))
print(result)

# Get new profile
update_profiles = keycloak_connection.raw_get(profile_url)
print(json.dumps(update_profiles.json()))

    Result

    enter image description here

    Added custom attributes

    enter image description here

    Detail custom attribute

    enter image description here

    Confirm by Postman enter image description here

    API documentation

    In here

    enter image description here

    enter image description here

            {
            "name": "custom",
            "displayName": "${custom}",
            "validations": {
                "length": {
                    "max": 255
                }
            },
            "annotations": {},
            "permissions": {
                "view": [
                    "admin"
                ],
                "edit": [
                    "admin",
                    "user"
                ]
            },
            "multivalued": false
        }

    unmanagedAttributePolicy setting

    documentation in here

    enter image description here

    new_profiles = {
  'attributes' : attributes,
  'groups': profiles.json()['groups'],
  'unmanagedAttributePolicy':'ENABLED' # 'ADMIN_VIEW', 'ADMIN_EDIT'
}

    enter image description here