I would like to automated the creation of a few Groovy rules. However, only the superuser is allowed to create such rules and I still couldn’t find a way to authenticate programmatically as a superuser (e.g., admin).
How can I do that?
Until we have a robust groovy sandbox then indeed you need to be a superuser to create
groovy rules (as well as have the
write:rules client role).
A superuser is defined as a user in the master realm with the
admin realm role; as this cannot be set with the users page in the manager UI you can go to the Keycloak admin UI
/admin and you can manually add the
admin realm role to your master realm service user as follows:
- Login as admin
- Select master realm
- Select clients (service users are actually defined as clients with a service user account)
- Select the client with the same name as your service user
Service Account Roles tab
- Select the
admin realm role and click
Thank you for your response. Unfortunetely, that approach requires more user interaction than we would like.
Is it possible to add the “admin” role programmaticaly?
Something that would be acceptable for us is to open the browser for the user to log-in when needed. Could this be done?
Keycloak has a REST API (which is what our manager uses to manage users) so you could also use that programmatically to add the
admin role; I don’t know your use case but I assume you want to do this for lots of users over time? Are you using the auto provisioning functionality over MQTT or are your service users being manually created?
Our use case is setting up OR instances, including adding rules and so on.
Now that I think about it, the SetupTasks feature could be a better option. Would that work?
SetupTasks is useful for initial static setup (provisioning assets, users, rules, etc.).
Whether this suits your use case depends on whether you know all the rules that are needed upfront.
The setup tasks could be used to provision service users and to add the admin realm role.