Update non admin user's profile using REST API

Hi Keycloak community.

May I please ask is there a way to use the REST API to change a user’s profile details (eg. firstName, lastName, username, email etc) using the access token of the user.

I know it’s documented that there’s an admin REST API but is there a client API (non admin) or must everything be done via the admin REST API?

Thanks in advance.

@h4xhor

After a user has successfully logged into your application:

You can redirect them to their Keycloak User Account Service page:

Where they can update their Keycloak account details.

Hi Robinyo, thanks very much for the solution!

@Robinyo So, if I understood you correct, the answer is “NO - You cannot use the REST API with the token of the user - if you want to use the API you have to use the Admin REST API” right?

May I ask, why isn’t there such an API for the user itself? What are the concerns about it?

@webdeb

The only Keycloak REST API I am aware of is the Administration REST API:

Hi h4xhor,

you can change user details with the Admin Rest API, but in order to do so, you need to work with an accessToken of a user who has the correct permission to do so.

for example, let’s say you have a user named “admin” and that user has admin permission like this:

so this user can edit other user details with the administration console.
and technically if you can do it with the console you can do it with the api.

the steps are:

  1. Using the Rest API perform a login with the admin user credentials
  2. Get the access token from the response
  3. Get all users using the correct Rest API endpoint using the access token
  4. Find the user that you want to edit and get it’s ID
  5. Send a PUT request with the new user details like this:

PUT
{{keycloak_url}}/admin/realms/{{realm}}/users/{{userId}}

{
“id”: “56f6c53f-5150-4b42-9757-4c3dd4e7d947”,
“enabled”: false,
“firstName”: “Clark”,
“lastName”: “Kent”
}

note that some properties you can’t change (like username since it’s a unique id in KC)

Some one created a very detailed list with the actions the Rest API support
Here is a list of actions you can perform vs the api

I’m not an expert but been using the API for some time now so free feel to ask if something is not clear

Hi Keycloak,

with the huge 24 update we are eager to use the new User Profiles.
We would like to allow users to update their profiles via Rest API. At the moment it’s not possible, right?
Is it correct that only admin/ endpoint is allowed to change user info?

If this is by design and will stay like that should we go this route:

  1. we have a separate nodejs app that has an admin user for Keycloak
  2. client app is sending updated user profile to the nodejs app along with the user’s token
  3. nodejs app validates the token (using the Keycloak’s public key), if valid, it updates userinfo via admin/ endpoint.

Best,
Anton

Congratulations, you are happily creating a man-in-the-middle-scenario.

There is no way to use a REST API for doing this. For reasons!

Use the required action to allow a user to update the password. This can also be called directly. See e.g. my blog post

Hi Mr. Keycloak,

thank you for your reply!
Out of interest, would you please explain what reasons are against allowing Users to update their Profiles via Rest API? User is logged in, has a valid access token, why Keycloak won’t allow her to update some fields in her profile?

Do you mean, the man-in-the-middle scenario I’ve described is a bad idea? What route should we take if we want to allow users to change some fields in their User Profiles from within our App?

Best,
Anton

It’s not Rest API - it’s ADMIN REST API
It’s for admin purposes only, not for users!
For using the ADMIN REST API, a user needs - guess what - ADMIN rights. And these are not that fine-grained as you think/want them to be.

If a user wants to change its data, there is the account API available. The account-console is using this API, so, just open your browser dev/network console and see which requests are being made.
And for password updates, use the required actions. It’s here for exactly this reason!
Everything else is …
Sorry for the words, but this is coming up and up again and again and was and is asked frequently here. A bit of research would help a lot.
By people acting like “but I want to use a rest api”, security get’s ad absurdum.

Yes, thank you!
I’ve made my research and also read your post about undocumented Account API. Probably there are also reasons why it is not documented?

I’m aware that Keycloak currently allows changing Userinfo only via Admin Rest API, that is what I’m writing in my initial question by mentioning admin/ endpoint. And sure, updating a password is something special and should be handled with care by Keycloak. But what’s wrong with updating some custom fields of the newly introduced User Profile?

Obviously normal users doesn’t have the Admin Rights. So our idea was to introduce this middle-man-server-side app, that has Admin rights. User sends its updated fields along with a token to this server-side app, the app checks if the User that wants to update its profile has a valid Token and if so, the app updates the profile via the Admin Rest API. We would really like to know what’s wrong with this approach, what security flaws are coming with this? And what is the best scenario to solve this.

Thank you,
Anton

The best scenario for your requirements is the account API. Although it’s not documented, it’s here to be used. The reasons for not documenting it can only be answered by someone of the Keycloak team, but I heavily suspect that just nobody had the time or motivation to do this (as often in projects).

Sure, our server-side-app approach is just a workaround for missing (at least in the docs) of the official Account API. Of course, if this is the official way to go, we would love to use it!

Best,
Anton