python-keycloak icon indicating copy to clipboard operation
python-keycloak copied to clipboard

Published 20 hours ago verified publisher icon marcospereirampj

get_client_roles_of_user returns empty list

Open PeterPilley opened this issue 4 years ago • 6 comments
trafficstars

Using keycloak_admin.get_available_client_roles_of_user(user_id="user_id", client_id="client_id") no error is returned, however it returns an emtpy list

Have searched around but cannot find any info as to why or what I am doing wrong.

Any help is appreciated

PeterPilley avatar Aug 30 '21 04:08 PeterPilley

Works for me. The user has a client role assigned?

double-a avatar Sep 16 '21 16:09 double-a

Sorry missed the reply. Yep the user has a client role assigned. Weirdly if I setup a user without a role it returns the roles that are available for the user. But if they have a role assigned it returns empty.

PeterPilley avatar Sep 28 '21 22:09 PeterPilley

That is actually intentional behavior. The method get_available_client_roles_of_user returns all client roles which are not assigned to the user but are available to be assigned to the user. It does not list all available roles for the user, only lists the ones to which the user hasn't been assigned yet.

In the Keycloak Admin interface, it essentially returns the list visible under the Available Roles, see the image.

Screenshot 2022-05-18 at 21 11 09 .

ryshoooo avatar May 18 '22 19:05 ryshoooo

Hi

I experienced a similar issue. But in my case, my user has not role assigned.

I have a Client, with its associated ServiceAccount. Both are freshly created.

When I use client.get_available_client_roles_of_user(service_user_id, realm_client_uid), I have an empty list. However, when I look at what queries the frontend does, I see that it call this route: "admin/realms/{realm-name}/ui-ext/available-roales/users/{id}", and it work fine.

The current route called by get_available_client_roles_of_user is "admin/realms/{realm-name}/users/{id}/role-mappings/clients/{client-id}/available".

Is it on purpose?

Should I make a PR with this new endpoint, or should I update the endpoint used?

Thanks a lot

Just FYI, I am using Keycloak 21.1.1

avoiney-ledger avatar Jun 22 '23 10:06 avoiney-ledger

Hi @avoiney-ledger

These are new endpoints for a better UX in the Keycloak console. The current implementation of python-keycloak covers most of the past versions of Keycloak and there are many users of this library that use old Keycloak versions. Considering that these endpoints are available only for Keycloak >= 21, I'd prefer a new method for this API endpoint rather than creating a breaking change in get_available_client_roles_of_user for some users :)

ryshoooo avatar Jun 23 '23 06:06 ryshoooo

Hi @ryshoooo

Thanks a lot. It's perfectly clear, I will try to make a PR with this new endpoint then!

avoiney-ledger avatar Jun 23 '23 07:06 avoiney-ledger