Authorization Services - Get all users having given permissions through REST API

aemaem · August 5, 2024, 9:28pm

I am currently implementing User-managed Access to our application. I am wondering, if there is a way to get all users granted permissions to specified resources and scopes.

Having the user ids, I can add the filter to the database query accordingly. I could not find a way through the REST API yet.

Would be great if someone could help.

lamoboos223 · August 5, 2024, 11:47pm

Hi @aemaem can you please clarify what do you mean [quote=“aemaem, post:1, topic:27327”]
get all users granted permissions to specified resources and scopes.
[/quote] ?

aemaem · August 6, 2024, 3:46am

Sure, sorry I could not express is clear enough.

I’d like to get a list of user ids from the Keycloak REST API, where certain permissions evaluate to true for these users.

With the Evaluation endpoint, I can evaluate which permissions a user has.

curl 'http://localhost:8088/admin/realms/<REALM_NAME>/clients/<CLIENT_UUID>/authz/resource-server/policy/evaluate' \
  -H 'authorization: Bearer eyJ...' \
  --data-raw '{"roleIds":[],"userId":"<USER_ID>","resources":[],"entitlements":false,"context":{"attributes":{}}}'

Returns a list of permissions the user with <USER_ID> has access to.

Now I would like to do the same, but not based on a user id but on a resource, scope, policy or permission. Maybe a made-up request makes it clear:

curl 'http://localhost:8088/admin/realms/<REALM_NAME>/clients/<CLIENT_UUID>/authz/resource-server/policy/evaluate?result=userIds' \
  -H 'authorization: Bearer eyJ...' \
  --data-raw '{"resources":[<RESOURCE_NAME_1>],"scopes":[<SCOPE_NAME_1>] ,"entitlements":false,"context":{"attributes":{}}}'

This should result in a list of all user ids who have access to <RESOURCE_NAME_1> with Scope <SCOPE_NAME_1>.

ggomarighetti · August 7, 2024, 3:00am

you mean a solution like adding all scopes to the accessToken under a kind of “permissions” claim maybe?

aemaem · August 7, 2024, 2:44pm

No, I want to ask: Which users have permission x?

lamoboos223 · August 7, 2024, 8:04pm

I don’t think you can get the list of users based on permission. You should do the opposite, loop over all the users and check whether they have the permission or not. And based on that you can return the list of users who granted that permission.

You can create an out of the box endpoint and register it to keycloak as a web resource.

@aemaem

aemaem · August 9, 2024, 5:47am

@lamoboos223 thanks for the clarification!

Topic		Replies	Views
API EndPoint to get list of permissions though user-id(Find all permissions of a user)	0	315	December 27, 2022
API To GET Client Authorization Policies And Permissions Getting advice	3	2385	May 17, 2022
List User Permissions via Rest API	4	6375	July 15, 2020
Keyycloak authz policy evaluation using REST API	5	4871	April 29, 2024
Authorisation - listing resources a user has access to Getting advice	4	4846	November 29, 2021

Authorization Services - Get all users having given permissions through REST API

Related Topics