CCCHH/keycloak-attribute-endpoints-provider

A Keycloak provider to get users profile attributes via authenticated API endpoints.

Java 100%

Find a file

kritzl 1381bf6b2a update README		2026-02-17 16:16:48 +01:00
attribute-endpoints-provider	update README	2026-02-17 16:16:48 +01:00
.gitignore	gitignore .DS_Store and .vscode	2025-10-31 19:35:32 +01:00
compose.yaml	rename provider	2026-02-17 15:26:47 +01:00
README.md	update README	2026-02-17 16:16:48 +01:00
realm-export.json	Attempt to use the UiPageProvider to configure endpoints	2026-02-17 13:17:42 +01:00
test.json	Attempt to use the UiPageProvider to configure endpoints	2026-02-17 13:17:42 +01:00

README.md

Attribute Endpoints Provider

This is a Keycloak Provider that exports an anonymized list of user profile attribute values. For this it will provide API endpoints for every configured attribute-group. The configuration of the provider is possible via an admin page.

Every endpoint responds with a list of all attribute values, that:

is in the attribute group matching attribute-group
matches an optional RegEx Pattern attribute-regex
belongs to a user with a role matching match-role
is non-empty

Multivalue attributes are flattened in the response.

Example Setup

We assume an unconfigured, fresh Keycloak installation running under http://localhost:8080.

Add a new realm
e.g. "TestRealm"
Under Realm Settings > User profile > Attributes Group, add a new attribute Group
Example:
- Name = "my-attributes-group"
- Display name = "Endpoint Attributes"
- Display description = "Attributes exported by the provider."
Under Realm Settings > User profile > Attributes, add a new attribute
Example:
- Attribute [Name] = "ssh-keys"
- Display name = "SSH Keys"
- Multivalued = On
- Attribute group = "my-attributes-group"
- Who can edit? = user, admin
- Validators
  You can add validators, which will limit what values the user can enter. These validators are ignored by the provider.
Under Realm roles, add two new roles
Example:
1. Role name = "myattribute-match"
2. Role name = "myattribute-export"
Under Users, add a new user
Example:
- Username = "user"
- Email = "user@example.com"
- First name = "User"
- Last name = "User"
- SSH Keys = "example-value-1", "example-value-2"
In the Settings of the newly created user, go to Role mapping > Assing role > Realm roles and check the role myattribute-match
create a second user to use the provider
- Username = "bot-user"
- Email = "bot@example.com"
- First name = "Bot"
- Last name = "Bot"
- After creating:
  - give it the role myattribute-export
  - set a password in the users settings Creadentials > Set password. For Example "password"
Under 🪪 Attribute Endpoints 🚀 > Create item, add a new endpoint to the provider
Example:
- Slug = "ssh_keys"
- Attribute Group = "my-attributes-group"
- Match Role = "myattribute-match"
- Auth Role = "myattribute-export"
- Attribute RegEx = ".*"

Aquire an OIDC Access Token:

curl --request POST \
    --url http://localhost:8080/realms/TestRealm/protocol/openid-connect/token \
    --header 'content-type: application/x-www-form-urlencoded' \
    --data scope=openid \
    --data username=bot-user \
    --data password=password \
    --data grant_type=password \
    --data client_id=admin-cli

copy the value of the response key access_token and use it in a second request:

curl --request GET \
    --url http://localhost:8080/realms/TestRealm/attribute-endpoints-provider/export/ssh_keys \
    --header 'authorization: Bearer ey...' \
    --header 'content-type: application/json'

You should get a response like this:
```
["example-value-1","example-value-2"]
```

Although this example uses a simple bot account to authenticate to Keycloak, we recommend using a client with service account, when using this provider programmatically.