Search code examples
keycloakkeycloak-rest-api

Return only specific fields of a user from keylcoak users endpoint

Currently I have multiple Keycloak users. In my frontend, one user should be able to receive all users from keycloak for further processing.

This is why I came up with using this endpoint: KEYCLOAK_URL/auth/admin/realms/REALM/users

This gives me the following output:

[
    {
        "id": "ebe12164-9097-49c0-a1dd-809dbc63b6bf",
        "createdTimestamp": 1604691601645,
        "username": "test@test.de",
        "enabled": true,
        "totp": false,
        "emailVerified": false,
        "firstName": "test",
        "lastName": "test",
        "email": "test@test.de",
        "disableableCredentialTypes": [],
        "requiredActions": [],
        "notBefore": 0,
        "access": {
            "manageGroupMembership": false,
            "view": true,
            "mapRoles": false,
            "impersonate": false,
            "manage": false
        }
    },
    ...
]

The question: Is there a way to restrict which fields of the users are returned by keycloak? For example only the "id" and the "username" and not the other things which might be more sensitive like the "access" part?

Solution

  • To get the content returned by the endpoint KEYCLOAK_URL/auth/admin/realms/REALM/users you needed to know the credentials of an admin-alike user (with the proper roles), and then use those credentials to get a token on behalf of that user to finally used that token to get the information from the endpoint KEYCLOAK_URL/auth/admin/realms/REALM/users.

    All of this to say that from an admin-alike user point of view that information is not sensitive, for instance, there are no user credentials being shared. Hence, it does not make sense to try to filter out the content sent by that endpoint, since that endpoint is meant to be used by the admin-alike user, who can access all that information on the admin console anyway.

    In my frontend, one user should be able to receive all users from keycloak for further processing.

    Even if you assign to that user the role 'view-users' so that this user could get the other users' information, it would still come with all that information that you have shown.

    Assuming that you have a backend, I would say that the simpler solution is to create a custom endpoint that returns you the list of users.