Keycloak: How to enable unmanagedAttributePolicy over REST API?

Question

since Keycloak v24 custom UserAttributes are not turned on by default (https://github.com/keycloak/keycloak/issues/9889). The options are explained here: https://www.keycloak.org/docs/latest/server_admin/#_understanding-managed-and-unmanaged-attributes

I use the Python3 Keycloak Module (https://pypi.org/project/python-keycloak/) to communicate with the keycloak REST API. However, when creating a realm, I cannot set the UnmanagedAttributePolicy to enable these custom user attributes and the official documentation is rather lacking (https://www.keycloak.org/docs-api/24.0.1/rest-api/index.html#UnmanagedAttributePolicy).

Does anyone know how to to this? Thanks in advance!

Answer 1

In the python-keycloak has no profile API but you can do it by raw_put() (PUT REST API)

And profile PUT's payload has previous attributes too. So I call GET API first, add unmanaged attribute then call PUT API.

Demo

from keycloak import KeycloakOpenIDConnection, KeycloakAdmin
import json

keycloak_connection = KeycloakOpenIDConnection(
                        server_url='http://localhost:8080',
                        username='admin',
                        password='admin',
                        realm_name='master',
                        client_id='admin-cli',
                        verify=True
)
keycloak_admin = KeycloakAdmin(connection=keycloak_connection)

keycloak_admin.change_current_realm('my-realm')

current = keycloak_admin.get_current_realm()
print('current realm : ' + current)

# Get current profile
profile_url = 'http://localhost:8080/admin/realms/my-realm/users/profile'
profiles = keycloak_connection.raw_get(profile_url)
attributes = profiles.json()['attributes']

# Add unmanaged Attribute
attributes.append({
      'name': 'custom',
      'displayName': '${custom}',
      'validations': {'length': {'max': 255}},
      'annotations': {},
      'permissions': { 'view': ['admin'], 'edit': ['admin', 'user'] },
      'multivalued': False
    })

# new profile's payload
new_profiles = {
  'attributes' : attributes,
  'groups': profiles.json()['groups'],
  'unmanagedAttributePolicy':'ENABLED' # 'ADMIN_VIEW', 'ADMIN_EDIT'
}

# Update profile
result = keycloak_connection.raw_put(profile_url,json.dumps(new_profiles))
print(result)

# Get new profile
update_profiles = keycloak_connection.raw_get(profile_url)
print(json.dumps(update_profiles.json()))

Result

Added custom attributes

Detail custom attribute

Confirm by Postman

API documentation

In here

        {
            "name": "custom",
            "displayName": "${custom}",
            "validations": {
                "length": {
                    "max": 255
                }
            },
            "annotations": {},
            "permissions": {
                "view": [
                    "admin"
                ],
                "edit": [
                    "admin",
                    "user"
                ]
            },
            "multivalued": false
        }

unmanagedAttributePolicy setting

documentation in here

new_profiles = {
  'attributes' : attributes,
  'groups': profiles.json()['groups'],
  'unmanagedAttributePolicy':'ENABLED' # 'ADMIN_VIEW', 'ADMIN_EDIT'
}