I am trying to retrieve users list based on their roles. I have this role: ROLE_ADMIN. I would like to retrieve every user that have this role.
I try it with this endpoint:
http://10.10.10.10:5555/auth/demo-realm/clients/e286a05c-6641-49c3-bb7c-ffe5dd2d8c66/roles/ROLE_ADMIN/users
but it sends me back this:
{ "error": "RESTEASY003210: Could not find resource for full path: http://10.10.10.10:5555/auth/demo-realm/clients/e286a05c-6641-49c3-bb7c-ffe5dd2d8c66/roles/ROLE_ADMIN/users" }
I found the endpoint here: https://www.keycloak.org/docs-api/11.0/rest-api/index.html under "Return List of Users that have the specified role name".
I can reach these end points for example:
http://10.10.10.10:5555/auth/realms/demo-realm/protocol/openid-connect/token
What did I miss? What makes this to not work?
Thanks in advance.
Update: The /auth path was removed starting with Keycloak 17 Quarkus distribution. So you might need to remove the /auth from the endpoint calls presented on this answer.
To get the users associate with a given Realm role you need to call the endpoint:
GET <KEYCLOAK_HOST>/auth/admin/realms/<YOUR_REALM>/roles/<ROLE_NAME>/users
to get the users associate with a given Client role you need to call this endpoint:
GET <KEYCLOAK_HOST>/auth/admin/realms/<YOUR_REALM>/clients/<CLIENT_ID>/roles/<ROLE_NAME>/users
where <CLIENT_ID> is the ID from the client to which the <ROLE_NAME> belongs to.
Finally, to get the client ID, you can call this endpoint:
GET <KEYCLOAK_HOST>/auth/admin/realms/<YOUR_REALM>/clients?clientId=<ID_OF_CLIENT>
Note that the client ID is the unique ID generated by Keycloak, whereas <ID_OF_CLIENT> is the Client ID that you have given to your Keycloak client.