Hi,
I would like to automated the creation of a few Groovy rules. However, only the superuser is allowed to create such rules and I still couldn’t find a way to authenticate programmatically as a superuser (e.g., admin).
How can I do that?
Best regards.
Adriano Carvalho
Hi,
Until we have a robust groovy sandbox then indeed you need to be a superuser to create groovy rules (as well as have the write:rules client role).
A superuser is defined as a user in the master realm with the admin realm role; as this cannot be set with the users page in the manager UI you can go to the Keycloak admin UI /admin and you can manually add the admin realm role to your master realm service user as follows:
Service Account Roles tabadmin realm role and click add selected
Hi Rich,
Thank you for your response. Unfortunetely, that approach requires more user interaction than we would like.
Is it possible to add the “admin” role programmaticaly?
Something that would be acceptable for us is to open the browser for the user to log-in when needed. Could this be done?
Best regards.
Adriano Carvalho
Keycloak has a REST API (which is what our manager uses to manage users) so you could also use that programmatically to add the admin role; I don’t know your use case but I assume you want to do this for lots of users over time? Are you using the auto provisioning functionality over MQTT or are your service users being manually created?
Our use case is setting up OR instances, including adding rules and so on.
Now that I think about it, the SetupTasks feature could be a better option. Would that work?
SetupTasks is useful for initial static setup (provisioning assets, users, rules, etc.).
Whether this suits your use case depends on whether you know all the rules that are needed upfront.
The setup tasks could be used to provision service users and to add the admin realm role.