A Keycloak provider to get users profile attributes via authenticated API endpoints.
  • Java 94%
  • Shell 5.1%
  • Makefile 0.9%
Find a file
Stefan Bethke c9f36f7100
All checks were successful
/ Verify (pull_request) Successful in 41s
Add exporting individual attributes
Based off #32

Also:
* rework README.md
* improve configuration error messages
2026-07-19 13:38:10 +02:00
.forgejo/workflows Spell option correctly 2026-07-18 21:41:42 +02:00
attribute-endpoints-provider Add exporting individual attributes 2026-07-19 13:38:10 +02:00
testing Add exporting individual attributes 2026-07-19 13:38:10 +02:00
.gitignore gitignore .DS_Store and .vscode 2025-10-31 19:35:32 +01:00
LICENSE.txt license this project 2026-04-03 23:10:26 +02:00
Makefile Add just the testing setup from #26. 2026-07-19 10:27:51 +02:00
README.md Add exporting individual attributes 2026-07-19 13:38:10 +02:00
renovate.json Migrate config renovate.json 2026-04-03 22:02:08 +00:00

Attribute Endpoints Provider - Export User Attributes

This is a Keycloak Provider that exports user profile attribute values. The selection of attributes and authorization is manage through an endpoint configuration.

Usage

The provider adds an object type "Attribute Endpoints" to the Keycloak admin website. You configure the provider by creating one or more endpoint configurations.

Each endpoint configuration requires:

  • a name that is the reference in the endpoint URL (slug)
  • the name of a role that the calling user must have to be allowed to query this endpoint
  • the name of an attribute or an attribute group that should be exported
  • the name of a role that users must have to be included in the list
  • an optional regular expression that must match to have a value included

Note

The attribute (group) and the roles need to exist before you can create the endpoint configuration.

There are two endpoints returning JSON:

  • export/slug: collate all attribute values into a single list
  • export/slug/map: produce a map of lists, with the key being the attribute name

No other data is included in the response, in particular, there is no information on which attribute value is associated with which user.

User Attribute values can be single or multi-value; the resulting list will include them as a flattened list.

⚠️ Note The authorization and the selection of the user attributes are not tied together in any way. Every user that has the matching role will have all the attributes included that are specified in the endpoint configuration. In other words, if you are exporting an attribute group, all attributes will be included.

⚠️ Note Keycloak has no concept of authorization for individual user attributes (for example, based on assigned roles). Users will be able to see and edit any attribute that has been made available to users, irrespective of whether a user would be included in an endpoint configuration export or not.

Building

Maven is required for building the provider.

Once all dependencies are met, simply call make to build the provider, which should then produce a attribute-endpoints-provider-1.0-SNAPSHOT.jar in the attribute-endpoints-provider/target/ directory.

There's also make clean available for removing the output directory.

To add the provider to your Keycloak install, copy attribute-endpoints-provider/target/attribute-endpoints-provider-1.0-SNAPSHOT.jar to the Keycloak Provider directory (/opt/keycloak/providers/).

Testing Setup

See testing/README.md for details on the Docker Compose based setup that includes a realm and the ability to attach a debugger to the running Keycloak.