@lap v0.3 # Machine-readable API spec. Each @endpoint block is one API call. @api Keycloak Admin REST API @version 1 @auth Bearer bearer @endpoints 281 @hint download_for_search @toc root(2), {id}(1), {realm}(278) @group root @endpoint GET / @desc Get themes, social providers, auth providers, and event listeners available on this server @returns(2XX) {builtinProtocolMappers: map, clientImporters: [map], clientInstallations: map, componentTypes: map, enums: map, identityProviders: [map], memoryInfo: map{free: int(int64), freeFormated: str, freePercentage: int(int64), total: int(int64), totalFormated: str, used: int(int64), usedFormated: str}, passwordPolicies: [map], profileInfo: map{disabledFeatures: [str], experimentalFeatures: [str], name: str, previewFeatures: [str]}, protocolMapperTypes: map, providers: map, socialProviders: [map], systemInfo: map{fileEncoding: str, javaHome: str, javaRuntime: str, javaVendor: str, javaVersion: str, javaVm: str, javaVmVersion: str, osArchitecture: str, osName: str, osVersion: str, serverTime: str, uptime: str, uptimeMillis: int(int64), userDir: str, userLocale: str, userName: str, userTimezone: str, version: str}, themes: map} # success @endpoint POST / @desc Import a realm Imports a realm from a full representation of that realm. @optional {accessCodeLifespan: int(int32), accessCodeLifespanLogin: int(int32), accessCodeLifespanUserAction: int(int32), accessTokenLifespan: int(int32), accessTokenLifespanForImplicitFlow: int(int32), accountTheme: str, actionTokenGeneratedByAdminLifespan: int(int32), actionTokenGeneratedByUserLifespan: int(int32), adminEventsDetailsEnabled: bool, adminEventsEnabled: bool, adminTheme: str, attributes: map, authenticationFlows: [map{alias: str, authenticationExecutions: [map], builtIn: bool, description: str, id: str, providerId: str, topLevel: bool}], authenticatorConfig: [map{alias: str, config: map, id: str}], browserFlow: str, browserSecurityHeaders: map, bruteForceProtected: bool, clientAuthenticationFlow: str, clientScopeMappings: map, clientScopes: [map{attributes: map, description: str, id: str, name: str, protocol: str, protocolMappers: [map]}], clientSessionIdleTimeout: int(int32), clientSessionMaxLifespan: int(int32), clients: [map{access: map, adminUrl: str, alwaysDisplayInConsole: bool, attributes: map, authenticationFlowBindingOverrides: map, authorizationServicesEnabled: bool, authorizationSettings: map, baseUrl: str, bearerOnly: bool, clientAuthenticatorType: str, clientId: str, consentRequired: bool, defaultClientScopes: [str], defaultRoles: [str], description: str, directAccessGrantsEnabled: bool, enabled: bool, frontchannelLogout: bool, fullScopeAllowed: bool, id: str, implicitFlowEnabled: bool, name: str, nodeReRegistrationTimeout: int(int32), notBefore: int(int32), optionalClientScopes: [str], origin: str, protocol: str, protocolMappers: [map], publicClient: bool, redirectUris: [str], registeredNodes: map, registrationAccessToken: str, rootUrl: str, secret: str, serviceAccountsEnabled: bool, standardFlowEnabled: bool, surrogateAuthRequired: bool, webOrigins: [str]}], components: map{empty: bool, loadFactor: num(float), threshold: int(int32)}, defaultDefaultClientScopes: [str], defaultGroups: [str], defaultLocale: str, defaultOptionalClientScopes: [str], defaultRoles: [str], defaultSignatureAlgorithm: str, directGrantFlow: str, displayName: str, displayNameHtml: str, dockerAuthenticationFlow: str, duplicateEmailsAllowed: bool, editUsernameAllowed: bool, emailTheme: str, enabled: bool, enabledEventTypes: [str], eventsEnabled: bool, eventsExpiration: int(int64), eventsListeners: [str], failureFactor: int(int32), federatedUsers: [map{access: map, attributes: map, clientConsents: [map], clientRoles: map, createdTimestamp: int(int64), credentials: [map], disableableCredentialTypes: [str], email: str, emailVerified: bool, enabled: bool, federatedIdentities: [map], federationLink: str, firstName: str, groups: [str], id: str, lastName: str, notBefore: int(int32), origin: str, realmRoles: [str], requiredActions: [str], self: str, serviceAccountClientId: str, username: str}], groups: [map{access: map, attributes: map, clientRoles: map, id: str, name: str, path: str, realmRoles: [str], subGroups: [map]}], id: str, identityProviderMappers: [map{config: map, id: str, identityProviderAlias: str, identityProviderMapper: str, name: str}], identityProviders: [map{addReadTokenRoleOnCreate: bool, alias: str, config: map, displayName: str, enabled: bool, firstBrokerLoginFlowAlias: str, internalId: str, linkOnly: bool, postBrokerLoginFlowAlias: str, providerId: str, storeToken: bool, trustEmail: bool}], internationalizationEnabled: bool, keycloakVersion: str, loginTheme: str, loginWithEmailAllowed: bool, maxDeltaTimeSeconds: int(int32), maxFailureWaitSeconds: int(int32), minimumQuickLoginWaitSeconds: int(int32), notBefore: int(int32), offlineSessionIdleTimeout: int(int32), offlineSessionMaxLifespan: int(int32), offlineSessionMaxLifespanEnabled: bool, otpPolicyAlgorithm: str, otpPolicyDigits: int(int32), otpPolicyInitialCounter: int(int32), otpPolicyLookAheadWindow: int(int32), otpPolicyPeriod: int(int32), otpPolicyType: str, otpSupportedApplications: [str], passwordPolicy: str, permanentLockout: bool, protocolMappers: [map{config: map, id: str, name: str, protocol: str, protocolMapper: str}], quickLoginCheckMilliSeconds: int(int64), realm: str, refreshTokenMaxReuse: int(int32), registrationAllowed: bool, registrationEmailAsUsername: bool, registrationFlow: str, rememberMe: bool, requiredActions: [map{alias: str, config: map, defaultAction: bool, enabled: bool, name: str, priority: int(int32), providerId: str}], resetCredentialsFlow: str, resetPasswordAllowed: bool, revokeRefreshToken: bool, roles: map{client: map, realm: [map]}, scopeMappings: [map{client: str, clientScope: str, roles: [str], self: str}], smtpServer: map, sslRequired: str, ssoSessionIdleTimeout: int(int32), ssoSessionIdleTimeoutRememberMe: int(int32), ssoSessionMaxLifespan: int(int32), ssoSessionMaxLifespanRememberMe: int(int32), supportedLocales: [str], userFederationMappers: [map{config: map, federationMapperType: str, federationProviderDisplayName: str, id: str, name: str}], userFederationProviders: [map{changedSyncPeriod: int(int32), config: map, displayName: str, fullSyncPeriod: int(int32), id: str, lastSync: int(int32), priority: int(int32), providerName: str}], userManagedAccessAllowed: bool, users: [map{access: map, attributes: map, clientConsents: [map], clientRoles: map, createdTimestamp: int(int64), credentials: [map], disableableCredentialTypes: [str], email: str, emailVerified: bool, enabled: bool, federatedIdentities: [map], federationLink: str, firstName: str, groups: [str], id: str, lastName: str, notBefore: int(int32), origin: str, realmRoles: [str], requiredActions: [str], self: str, serviceAccountClientId: str, username: str}], verifyEmail: bool, waitIncrementSeconds: int(int32), webAuthnPolicyAcceptableAaguids: [str], webAuthnPolicyAttestationConveyancePreference: str, webAuthnPolicyAuthenticatorAttachment: str, webAuthnPolicyAvoidSameAuthenticatorRegister: bool, webAuthnPolicyCreateTimeout: int(int32), webAuthnPolicyPasswordlessAcceptableAaguids: [str], webAuthnPolicyPasswordlessAttestationConveyancePreference: str, webAuthnPolicyPasswordlessAuthenticatorAttachment: str, webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister: bool, webAuthnPolicyPasswordlessCreateTimeout: int(int32), webAuthnPolicyPasswordlessRequireResidentKey: str, webAuthnPolicyPasswordlessRpEntityName: str, webAuthnPolicyPasswordlessRpId: str, webAuthnPolicyPasswordlessSignatureAlgorithms: [str], webAuthnPolicyPasswordlessUserVerificationRequirement: str, webAuthnPolicyRequireResidentKey: str, webAuthnPolicyRpEntityName: str, webAuthnPolicyRpId: str, webAuthnPolicySignatureAlgorithms: [str], webAuthnPolicyUserVerificationRequirement: str} @returns(2XX) success @endgroup @group {id} @endpoint GET /{id}/name @desc Need this for admin console to display simple name of provider when displaying client detail KEYCLOAK-4328 @returns(2XX) success @endgroup @group {realm} @endpoint GET /{realm} @desc Get the top-level representation of the realm It will not include nested information like User and Client representations. @returns(2XX) {accessCodeLifespan: int(int32), accessCodeLifespanLogin: int(int32), accessCodeLifespanUserAction: int(int32), accessTokenLifespan: int(int32), accessTokenLifespanForImplicitFlow: int(int32), accountTheme: str, actionTokenGeneratedByAdminLifespan: int(int32), actionTokenGeneratedByUserLifespan: int(int32), adminEventsDetailsEnabled: bool, adminEventsEnabled: bool, adminTheme: str, attributes: map, authenticationFlows: [map], authenticatorConfig: [map], browserFlow: str, browserSecurityHeaders: map, bruteForceProtected: bool, clientAuthenticationFlow: str, clientScopeMappings: map, clientScopes: [map], clientSessionIdleTimeout: int(int32), clientSessionMaxLifespan: int(int32), clients: [map], components: map{empty: bool, loadFactor: num(float), threshold: int(int32)}, defaultDefaultClientScopes: [str], defaultGroups: [str], defaultLocale: str, defaultOptionalClientScopes: [str], defaultRoles: [str], defaultSignatureAlgorithm: str, directGrantFlow: str, displayName: str, displayNameHtml: str, dockerAuthenticationFlow: str, duplicateEmailsAllowed: bool, editUsernameAllowed: bool, emailTheme: str, enabled: bool, enabledEventTypes: [str], eventsEnabled: bool, eventsExpiration: int(int64), eventsListeners: [str], failureFactor: int(int32), federatedUsers: [map], groups: [map], id: str, identityProviderMappers: [map], identityProviders: [map], internationalizationEnabled: bool, keycloakVersion: str, loginTheme: str, loginWithEmailAllowed: bool, maxDeltaTimeSeconds: int(int32), maxFailureWaitSeconds: int(int32), minimumQuickLoginWaitSeconds: int(int32), notBefore: int(int32), offlineSessionIdleTimeout: int(int32), offlineSessionMaxLifespan: int(int32), offlineSessionMaxLifespanEnabled: bool, otpPolicyAlgorithm: str, otpPolicyDigits: int(int32), otpPolicyInitialCounter: int(int32), otpPolicyLookAheadWindow: int(int32), otpPolicyPeriod: int(int32), otpPolicyType: str, otpSupportedApplications: [str], passwordPolicy: str, permanentLockout: bool, protocolMappers: [map], quickLoginCheckMilliSeconds: int(int64), realm: str, refreshTokenMaxReuse: int(int32), registrationAllowed: bool, registrationEmailAsUsername: bool, registrationFlow: str, rememberMe: bool, requiredActions: [map], resetCredentialsFlow: str, resetPasswordAllowed: bool, revokeRefreshToken: bool, roles: map{client: map, realm: [map]}, scopeMappings: [map], smtpServer: map, sslRequired: str, ssoSessionIdleTimeout: int(int32), ssoSessionIdleTimeoutRememberMe: int(int32), ssoSessionMaxLifespan: int(int32), ssoSessionMaxLifespanRememberMe: int(int32), supportedLocales: [str], userFederationMappers: [map], userFederationProviders: [map], userManagedAccessAllowed: bool, users: [map], verifyEmail: bool, waitIncrementSeconds: int(int32), webAuthnPolicyAcceptableAaguids: [str], webAuthnPolicyAttestationConveyancePreference: str, webAuthnPolicyAuthenticatorAttachment: str, webAuthnPolicyAvoidSameAuthenticatorRegister: bool, webAuthnPolicyCreateTimeout: int(int32), webAuthnPolicyPasswordlessAcceptableAaguids: [str], webAuthnPolicyPasswordlessAttestationConveyancePreference: str, webAuthnPolicyPasswordlessAuthenticatorAttachment: str, webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister: bool, webAuthnPolicyPasswordlessCreateTimeout: int(int32), webAuthnPolicyPasswordlessRequireResidentKey: str, webAuthnPolicyPasswordlessRpEntityName: str, webAuthnPolicyPasswordlessRpId: str, webAuthnPolicyPasswordlessSignatureAlgorithms: [str], webAuthnPolicyPasswordlessUserVerificationRequirement: str, webAuthnPolicyRequireResidentKey: str, webAuthnPolicyRpEntityName: str, webAuthnPolicyRpId: str, webAuthnPolicySignatureAlgorithms: [str], webAuthnPolicyUserVerificationRequirement: str} # success @endpoint PUT /{realm} @desc Update the top-level information of the realm Any user, roles or client information in the representation will be ignored. @optional {accessCodeLifespan: int(int32), accessCodeLifespanLogin: int(int32), accessCodeLifespanUserAction: int(int32), accessTokenLifespan: int(int32), accessTokenLifespanForImplicitFlow: int(int32), accountTheme: str, actionTokenGeneratedByAdminLifespan: int(int32), actionTokenGeneratedByUserLifespan: int(int32), adminEventsDetailsEnabled: bool, adminEventsEnabled: bool, adminTheme: str, attributes: map, authenticationFlows: [map{alias: str, authenticationExecutions: [map], builtIn: bool, description: str, id: str, providerId: str, topLevel: bool}], authenticatorConfig: [map{alias: str, config: map, id: str}], browserFlow: str, browserSecurityHeaders: map, bruteForceProtected: bool, clientAuthenticationFlow: str, clientScopeMappings: map, clientScopes: [map{attributes: map, description: str, id: str, name: str, protocol: str, protocolMappers: [map]}], clientSessionIdleTimeout: int(int32), clientSessionMaxLifespan: int(int32), clients: [map{access: map, adminUrl: str, alwaysDisplayInConsole: bool, attributes: map, authenticationFlowBindingOverrides: map, authorizationServicesEnabled: bool, authorizationSettings: map, baseUrl: str, bearerOnly: bool, clientAuthenticatorType: str, clientId: str, consentRequired: bool, defaultClientScopes: [str], defaultRoles: [str], description: str, directAccessGrantsEnabled: bool, enabled: bool, frontchannelLogout: bool, fullScopeAllowed: bool, id: str, implicitFlowEnabled: bool, name: str, nodeReRegistrationTimeout: int(int32), notBefore: int(int32), optionalClientScopes: [str], origin: str, protocol: str, protocolMappers: [map], publicClient: bool, redirectUris: [str], registeredNodes: map, registrationAccessToken: str, rootUrl: str, secret: str, serviceAccountsEnabled: bool, standardFlowEnabled: bool, surrogateAuthRequired: bool, webOrigins: [str]}], components: map{empty: bool, loadFactor: num(float), threshold: int(int32)}, defaultDefaultClientScopes: [str], defaultGroups: [str], defaultLocale: str, defaultOptionalClientScopes: [str], defaultRoles: [str], defaultSignatureAlgorithm: str, directGrantFlow: str, displayName: str, displayNameHtml: str, dockerAuthenticationFlow: str, duplicateEmailsAllowed: bool, editUsernameAllowed: bool, emailTheme: str, enabled: bool, enabledEventTypes: [str], eventsEnabled: bool, eventsExpiration: int(int64), eventsListeners: [str], failureFactor: int(int32), federatedUsers: [map{access: map, attributes: map, clientConsents: [map], clientRoles: map, createdTimestamp: int(int64), credentials: [map], disableableCredentialTypes: [str], email: str, emailVerified: bool, enabled: bool, federatedIdentities: [map], federationLink: str, firstName: str, groups: [str], id: str, lastName: str, notBefore: int(int32), origin: str, realmRoles: [str], requiredActions: [str], self: str, serviceAccountClientId: str, username: str}], groups: [map{access: map, attributes: map, clientRoles: map, id: str, name: str, path: str, realmRoles: [str], subGroups: [map]}], id: str, identityProviderMappers: [map{config: map, id: str, identityProviderAlias: str, identityProviderMapper: str, name: str}], identityProviders: [map{addReadTokenRoleOnCreate: bool, alias: str, config: map, displayName: str, enabled: bool, firstBrokerLoginFlowAlias: str, internalId: str, linkOnly: bool, postBrokerLoginFlowAlias: str, providerId: str, storeToken: bool, trustEmail: bool}], internationalizationEnabled: bool, keycloakVersion: str, loginTheme: str, loginWithEmailAllowed: bool, maxDeltaTimeSeconds: int(int32), maxFailureWaitSeconds: int(int32), minimumQuickLoginWaitSeconds: int(int32), notBefore: int(int32), offlineSessionIdleTimeout: int(int32), offlineSessionMaxLifespan: int(int32), offlineSessionMaxLifespanEnabled: bool, otpPolicyAlgorithm: str, otpPolicyDigits: int(int32), otpPolicyInitialCounter: int(int32), otpPolicyLookAheadWindow: int(int32), otpPolicyPeriod: int(int32), otpPolicyType: str, otpSupportedApplications: [str], passwordPolicy: str, permanentLockout: bool, protocolMappers: [map{config: map, id: str, name: str, protocol: str, protocolMapper: str}], quickLoginCheckMilliSeconds: int(int64), realm: str, refreshTokenMaxReuse: int(int32), registrationAllowed: bool, registrationEmailAsUsername: bool, registrationFlow: str, rememberMe: bool, requiredActions: [map{alias: str, config: map, defaultAction: bool, enabled: bool, name: str, priority: int(int32), providerId: str}], resetCredentialsFlow: str, resetPasswordAllowed: bool, revokeRefreshToken: bool, roles: map{client: map, realm: [map]}, scopeMappings: [map{client: str, clientScope: str, roles: [str], self: str}], smtpServer: map, sslRequired: str, ssoSessionIdleTimeout: int(int32), ssoSessionIdleTimeoutRememberMe: int(int32), ssoSessionMaxLifespan: int(int32), ssoSessionMaxLifespanRememberMe: int(int32), supportedLocales: [str], userFederationMappers: [map{config: map, federationMapperType: str, federationProviderDisplayName: str, id: str, name: str}], userFederationProviders: [map{changedSyncPeriod: int(int32), config: map, displayName: str, fullSyncPeriod: int(int32), id: str, lastSync: int(int32), priority: int(int32), providerName: str}], userManagedAccessAllowed: bool, users: [map{access: map, attributes: map, clientConsents: [map], clientRoles: map, createdTimestamp: int(int64), credentials: [map], disableableCredentialTypes: [str], email: str, emailVerified: bool, enabled: bool, federatedIdentities: [map], federationLink: str, firstName: str, groups: [str], id: str, lastName: str, notBefore: int(int32), origin: str, realmRoles: [str], requiredActions: [str], self: str, serviceAccountClientId: str, username: str}], verifyEmail: bool, waitIncrementSeconds: int(int32), webAuthnPolicyAcceptableAaguids: [str], webAuthnPolicyAttestationConveyancePreference: str, webAuthnPolicyAuthenticatorAttachment: str, webAuthnPolicyAvoidSameAuthenticatorRegister: bool, webAuthnPolicyCreateTimeout: int(int32), webAuthnPolicyPasswordlessAcceptableAaguids: [str], webAuthnPolicyPasswordlessAttestationConveyancePreference: str, webAuthnPolicyPasswordlessAuthenticatorAttachment: str, webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister: bool, webAuthnPolicyPasswordlessCreateTimeout: int(int32), webAuthnPolicyPasswordlessRequireResidentKey: str, webAuthnPolicyPasswordlessRpEntityName: str, webAuthnPolicyPasswordlessRpId: str, webAuthnPolicyPasswordlessSignatureAlgorithms: [str], webAuthnPolicyPasswordlessUserVerificationRequirement: str, webAuthnPolicyRequireResidentKey: str, webAuthnPolicyRpEntityName: str, webAuthnPolicyRpId: str, webAuthnPolicySignatureAlgorithms: [str], webAuthnPolicyUserVerificationRequirement: str} @returns(2XX) success @endpoint DELETE /{realm} @desc Delete the realm @returns(2XX) success @endpoint GET /{realm}/admin-events @desc Get admin events Returns all admin events, or filters events based on URL query parameters listed here @optional {authClient: str, authIpAddress: str, authRealm: str, authUser: str # user id, dateFrom: str, dateTo: str, first: int(int32), max: int(int32) # Maximum results size (defaults to 100), operationTypes: [str], resourcePath: str, resourceTypes: [str]} @returns(2XX) success @endpoint DELETE /{realm}/admin-events @desc Delete all admin events @returns(2XX) success @endpoint DELETE /{realm}/attack-detection/brute-force/users @desc Clear any user login failures for all users This can release temporary disabled users @returns(2XX) success @endpoint GET /{realm}/attack-detection/brute-force/users/{userId} @desc Get status of a username in brute force detection @returns(2XX) success @endpoint DELETE /{realm}/attack-detection/brute-force/users/{userId} @desc Clear any user login failures for the user This can release temporary disabled user @returns(2XX) success @endpoint GET /{realm}/authentication/authenticator-providers @desc Get authenticator providers Returns a list of authenticator providers. @returns(2XX) success @endpoint GET /{realm}/authentication/client-authenticator-providers @desc Get client authenticator providers Returns a list of client authenticator providers. @returns(2XX) success @endpoint GET /{realm}/authentication/config-description/{providerId} @desc Get authenticator provider’s configuration description @returns(2XX) {helpText: str, name: str, properties: [map], providerId: str} # success @endpoint GET /{realm}/authentication/config/{id} @desc Get authenticator configuration @returns(2XX) {alias: str, config: map, id: str} # success @endpoint PUT /{realm}/authentication/config/{id} @desc Update authenticator configuration @optional {alias: str, config: map, id: str} @returns(2XX) success @endpoint DELETE /{realm}/authentication/config/{id} @desc Delete authenticator configuration @returns(2XX) success @endpoint POST /{realm}/authentication/executions @desc Add new authentication execution @optional {authenticator: str, authenticatorConfig: str, authenticatorFlow: bool, autheticatorFlow: bool, flowId: str, id: str, parentFlow: str, priority: int(int32), requirement: str} @returns(2XX) success @endpoint GET /{realm}/authentication/executions/{executionId} @desc Get Single Execution @returns(2XX) success @endpoint DELETE /{realm}/authentication/executions/{executionId} @desc Delete execution @returns(2XX) success @endpoint POST /{realm}/authentication/executions/{executionId}/config @desc Update execution with new configuration @optional {alias: str, config: map, id: str} @returns(2XX) success @endpoint POST /{realm}/authentication/executions/{executionId}/lower-priority @desc Lower execution’s priority @returns(2XX) success @endpoint POST /{realm}/authentication/executions/{executionId}/raise-priority @desc Raise execution’s priority @returns(2XX) success @endpoint GET /{realm}/authentication/flows @desc Get authentication flows Returns a list of authentication flows. @returns(2XX) success @endpoint POST /{realm}/authentication/flows @desc Create a new authentication flow @optional {alias: str, authenticationExecutions: [map{authenticator: str, authenticatorConfig: str, authenticatorFlow: bool, autheticatorFlow: bool, flowAlias: str, priority: int(int32), requirement: str, userSetupAllowed: bool}], builtIn: bool, description: str, id: str, providerId: str, topLevel: bool} @returns(2XX) success @endpoint POST /{realm}/authentication/flows/{flowAlias}/copy @desc Copy existing authentication flow under a new name The new name is given as 'newName' attribute of the passed JSON object @returns(2XX) success @endpoint GET /{realm}/authentication/flows/{flowAlias}/executions @desc Get authentication executions for a flow @returns(2XX) success @endpoint PUT /{realm}/authentication/flows/{flowAlias}/executions @desc Update authentication executions of a flow @optional {alias: str, authenticationConfig: str, authenticationFlow: bool, configurable: bool, displayName: str, flowId: str, id: str, index: int(int32), level: int(int32), providerId: str, requirement: str, requirementChoices: [str]} @returns(2XX) success @endpoint POST /{realm}/authentication/flows/{flowAlias}/executions/execution @desc Add new authentication execution to a flow @returns(2XX) success @endpoint POST /{realm}/authentication/flows/{flowAlias}/executions/flow @desc Add new flow with new execution to existing flow @returns(2XX) success @endpoint GET /{realm}/authentication/flows/{id} @desc Get authentication flow for id @returns(2XX) {alias: str, authenticationExecutions: [map], builtIn: bool, description: str, id: str, providerId: str, topLevel: bool} # success @endpoint PUT /{realm}/authentication/flows/{id} @desc Update an authentication flow @optional {alias: str, authenticationExecutions: [map{authenticator: str, authenticatorConfig: str, authenticatorFlow: bool, autheticatorFlow: bool, flowAlias: str, priority: int(int32), requirement: str, userSetupAllowed: bool}], builtIn: bool, description: str, id: str, providerId: str, topLevel: bool} @returns(2XX) success @endpoint DELETE /{realm}/authentication/flows/{id} @desc Delete an authentication flow @returns(2XX) success @endpoint GET /{realm}/authentication/form-action-providers @desc Get form action providers Returns a list of form action providers. @returns(2XX) success @endpoint GET /{realm}/authentication/form-providers @desc Get form providers Returns a list of form providers. @returns(2XX) success @endpoint GET /{realm}/authentication/per-client-config-description @desc Get configuration descriptions for all clients @returns(2XX) success @endpoint POST /{realm}/authentication/register-required-action @desc Register a new required actions @returns(2XX) success @endpoint GET /{realm}/authentication/required-actions @desc Get required actions Returns a list of required actions. @returns(2XX) success @endpoint GET /{realm}/authentication/required-actions/{alias} @desc Get required action for alias @returns(2XX) {alias: str, config: map, defaultAction: bool, enabled: bool, name: str, priority: int(int32), providerId: str} # success @endpoint PUT /{realm}/authentication/required-actions/{alias} @desc Update required action @optional {alias: str, config: map, defaultAction: bool, enabled: bool, name: str, priority: int(int32), providerId: str} @returns(2XX) success @endpoint DELETE /{realm}/authentication/required-actions/{alias} @desc Delete required action @returns(2XX) success @endpoint POST /{realm}/authentication/required-actions/{alias}/lower-priority @desc Lower required action’s priority @returns(2XX) success @endpoint POST /{realm}/authentication/required-actions/{alias}/raise-priority @desc Raise required action’s priority @returns(2XX) success @endpoint GET /{realm}/authentication/unregistered-required-actions @desc Get unregistered required actions Returns a list of unregistered required actions. @returns(2XX) success @endpoint POST /{realm}/clear-keys-cache @desc Clear cache of external public keys (Public keys of clients or Identity providers) @returns(2XX) success @endpoint POST /{realm}/clear-realm-cache @desc Clear realm cache @returns(2XX) success @endpoint POST /{realm}/clear-user-cache @desc Clear user cache @returns(2XX) success @endpoint POST /{realm}/client-description-converter @desc Base path for importing clients under this realm. @returns(2XX) {access: map, adminUrl: str, alwaysDisplayInConsole: bool, attributes: map, authenticationFlowBindingOverrides: map, authorizationServicesEnabled: bool, authorizationSettings: map{allowRemoteResourceManagement: bool, clientId: str, decisionStrategy: str, id: str, name: str, policies: [map], policyEnforcementMode: str, resources: [map], scopes: [map]}, baseUrl: str, bearerOnly: bool, clientAuthenticatorType: str, clientId: str, consentRequired: bool, defaultClientScopes: [str], defaultRoles: [str], description: str, directAccessGrantsEnabled: bool, enabled: bool, frontchannelLogout: bool, fullScopeAllowed: bool, id: str, implicitFlowEnabled: bool, name: str, nodeReRegistrationTimeout: int(int32), notBefore: int(int32), optionalClientScopes: [str], origin: str, protocol: str, protocolMappers: [map], publicClient: bool, redirectUris: [str], registeredNodes: map, registrationAccessToken: str, rootUrl: str, secret: str, serviceAccountsEnabled: bool, standardFlowEnabled: bool, surrogateAuthRequired: bool, webOrigins: [str]} # success @endpoint GET /{realm}/client-registration-policy/providers @desc Base path for retrieve providers with the configProperties properly filled @returns(2XX) success @endpoint GET /{realm}/client-scopes @desc Get client scopes belonging to the realm Returns a list of client scopes belonging to the realm @returns(2XX) success @endpoint POST /{realm}/client-scopes @desc Create a new client scope Client Scope’s name must be unique! @optional {attributes: map, description: str, id: str, name: str, protocol: str, protocolMappers: [map{config: map, id: str, name: str, protocol: str, protocolMapper: str}]} @returns(2XX) success @endpoint GET /{realm}/client-scopes/{id1}/protocol-mappers/models/{id2} @desc Get mapper by id @returns(2XX) {config: map, id: str, name: str, protocol: str, protocolMapper: str} # success @endpoint PUT /{realm}/client-scopes/{id1}/protocol-mappers/models/{id2} @desc Update the mapper @optional {config: map, id: str, name: str, protocol: str, protocolMapper: str} @returns(2XX) success @endpoint DELETE /{realm}/client-scopes/{id1}/protocol-mappers/models/{id2} @desc Delete the mapper @returns(2XX) success @endpoint GET /{realm}/client-scopes/{id} @desc Get representation of the client scope @returns(2XX) {attributes: map, description: str, id: str, name: str, protocol: str, protocolMappers: [map]} # success @endpoint PUT /{realm}/client-scopes/{id} @desc Update the client scope @optional {attributes: map, description: str, id: str, name: str, protocol: str, protocolMappers: [map{config: map, id: str, name: str, protocol: str, protocolMapper: str}]} @returns(2XX) success @endpoint DELETE /{realm}/client-scopes/{id} @desc Delete the client scope @returns(2XX) success @endpoint POST /{realm}/client-scopes/{id}/protocol-mappers/add-models @desc Create multiple mappers @returns(2XX) success @endpoint GET /{realm}/client-scopes/{id}/protocol-mappers/models @desc Get mappers @returns(2XX) success @endpoint POST /{realm}/client-scopes/{id}/protocol-mappers/models @desc Create a mapper @optional {config: map, id: str, name: str, protocol: str, protocolMapper: str} @returns(2XX) success @endpoint GET /{realm}/client-scopes/{id}/protocol-mappers/protocol/{protocol} @desc Get mappers by name for a specific protocol @returns(2XX) success @endpoint GET /{realm}/client-scopes/{id}/scope-mappings @desc Get all scope mappings for the client @returns(2XX) {clientMappings: map, realmMappings: [map]} # success @endpoint GET /{realm}/client-scopes/{id}/scope-mappings/clients/{client} @desc Get the roles associated with a client’s scope Returns roles for the client. @returns(2XX) success @endpoint POST /{realm}/client-scopes/{id}/scope-mappings/clients/{client} @desc Add client-level roles to the client’s scope @returns(2XX) success @endpoint DELETE /{realm}/client-scopes/{id}/scope-mappings/clients/{client} @desc Remove client-level roles from the client’s scope. @returns(2XX) success @endpoint GET /{realm}/client-scopes/{id}/scope-mappings/clients/{client}/available @desc The available client-level roles Returns the roles for the client that can be associated with the client’s scope @returns(2XX) success @endpoint GET /{realm}/client-scopes/{id}/scope-mappings/clients/{client}/composite @desc Get effective client roles Returns the roles for the client that are associated with the client’s scope. @returns(2XX) success @endpoint GET /{realm}/client-scopes/{id}/scope-mappings/realm @desc Get realm-level roles associated with the client’s scope @returns(2XX) success @endpoint POST /{realm}/client-scopes/{id}/scope-mappings/realm @desc Add a set of realm-level roles to the client’s scope @returns(2XX) success @endpoint DELETE /{realm}/client-scopes/{id}/scope-mappings/realm @desc Remove a set of realm-level roles from the client’s scope @returns(2XX) success @endpoint GET /{realm}/client-scopes/{id}/scope-mappings/realm/available @desc Get realm-level roles that are available to attach to this client’s scope @returns(2XX) success @endpoint GET /{realm}/client-scopes/{id}/scope-mappings/realm/composite @desc Get effective realm-level roles associated with the client’s scope What this does is recurse any composite roles associated with the client’s scope and adds the roles to this lists. @returns(2XX) success @endpoint GET /{realm}/client-session-stats @desc Get client session stats Returns a JSON map. @returns(2XX) success @endpoint GET /{realm}/clients @desc Get clients belonging to the realm Returns a list of clients belonging to the realm @optional {clientId: str # filter by clientId, first: int(int32) # the first result, max: int(int32) # the max results to return, search: bool # whether this is a search query or a getClientById query, viewableOnly: bool # filter clients that cannot be viewed in full by admin} @returns(2XX) success @endpoint POST /{realm}/clients @desc Create a new client Client’s client_id must be unique! @optional {access: map, adminUrl: str, alwaysDisplayInConsole: bool, attributes: map, authenticationFlowBindingOverrides: map, authorizationServicesEnabled: bool, authorizationSettings: map{allowRemoteResourceManagement: bool, clientId: str, decisionStrategy: str, id: str, name: str, policies: [map], policyEnforcementMode: str, resources: [map], scopes: [map]}, baseUrl: str, bearerOnly: bool, clientAuthenticatorType: str, clientId: str, consentRequired: bool, defaultClientScopes: [str], defaultRoles: [str], description: str, directAccessGrantsEnabled: bool, enabled: bool, frontchannelLogout: bool, fullScopeAllowed: bool, id: str, implicitFlowEnabled: bool, name: str, nodeReRegistrationTimeout: int(int32), notBefore: int(int32), optionalClientScopes: [str], origin: str, protocol: str, protocolMappers: [map{config: map, id: str, name: str, protocol: str, protocolMapper: str}], publicClient: bool, redirectUris: [str], registeredNodes: map, registrationAccessToken: str, rootUrl: str, secret: str, serviceAccountsEnabled: bool, standardFlowEnabled: bool, surrogateAuthRequired: bool, webOrigins: [str]} @returns(2XX) success @endpoint GET /{realm}/clients-initial-access @returns(2XX) success @endpoint POST /{realm}/clients-initial-access @desc Create a new initial access token. @optional {count: int(int32), expiration: int(int32)} @returns(2XX) {count: int(int32), expiration: int(int32), id: str, remainingCount: int(int32), timestamp: int(int32), token: str} # success @endpoint DELETE /{realm}/clients-initial-access/{id} @returns(2XX) success @endpoint GET /{realm}/clients/{id1}/protocol-mappers/models/{id2} @desc Get mapper by id @returns(2XX) {config: map, id: str, name: str, protocol: str, protocolMapper: str} # success @endpoint PUT /{realm}/clients/{id1}/protocol-mappers/models/{id2} @desc Update the mapper @optional {config: map, id: str, name: str, protocol: str, protocolMapper: str} @returns(2XX) success @endpoint DELETE /{realm}/clients/{id1}/protocol-mappers/models/{id2} @desc Delete the mapper @returns(2XX) success @endpoint GET /{realm}/clients/{id} @desc Get representation of the client @returns(2XX) {access: map, adminUrl: str, alwaysDisplayInConsole: bool, attributes: map, authenticationFlowBindingOverrides: map, authorizationServicesEnabled: bool, authorizationSettings: map{allowRemoteResourceManagement: bool, clientId: str, decisionStrategy: str, id: str, name: str, policies: [map], policyEnforcementMode: str, resources: [map], scopes: [map]}, baseUrl: str, bearerOnly: bool, clientAuthenticatorType: str, clientId: str, consentRequired: bool, defaultClientScopes: [str], defaultRoles: [str], description: str, directAccessGrantsEnabled: bool, enabled: bool, frontchannelLogout: bool, fullScopeAllowed: bool, id: str, implicitFlowEnabled: bool, name: str, nodeReRegistrationTimeout: int(int32), notBefore: int(int32), optionalClientScopes: [str], origin: str, protocol: str, protocolMappers: [map], publicClient: bool, redirectUris: [str], registeredNodes: map, registrationAccessToken: str, rootUrl: str, secret: str, serviceAccountsEnabled: bool, standardFlowEnabled: bool, surrogateAuthRequired: bool, webOrigins: [str]} # success @endpoint PUT /{realm}/clients/{id} @desc Update the client @optional {access: map, adminUrl: str, alwaysDisplayInConsole: bool, attributes: map, authenticationFlowBindingOverrides: map, authorizationServicesEnabled: bool, authorizationSettings: map{allowRemoteResourceManagement: bool, clientId: str, decisionStrategy: str, id: str, name: str, policies: [map], policyEnforcementMode: str, resources: [map], scopes: [map]}, baseUrl: str, bearerOnly: bool, clientAuthenticatorType: str, clientId: str, consentRequired: bool, defaultClientScopes: [str], defaultRoles: [str], description: str, directAccessGrantsEnabled: bool, enabled: bool, frontchannelLogout: bool, fullScopeAllowed: bool, id: str, implicitFlowEnabled: bool, name: str, nodeReRegistrationTimeout: int(int32), notBefore: int(int32), optionalClientScopes: [str], origin: str, protocol: str, protocolMappers: [map{config: map, id: str, name: str, protocol: str, protocolMapper: str}], publicClient: bool, redirectUris: [str], registeredNodes: map, registrationAccessToken: str, rootUrl: str, secret: str, serviceAccountsEnabled: bool, standardFlowEnabled: bool, surrogateAuthRequired: bool, webOrigins: [str]} @returns(2XX) success @endpoint DELETE /{realm}/clients/{id} @desc Delete the client @returns(2XX) success @endpoint GET /{realm}/clients/{id}/certificates/{attr} @desc Get key info @returns(2XX) {certificate: str, kid: str, privateKey: str, publicKey: str} # success @endpoint POST /{realm}/clients/{id}/certificates/{attr}/download @desc Get a keystore file for the client, containing private key and public certificate @optional {format: str, keyAlias: str, keyPassword: str, realmAlias: str, realmCertificate: bool, storePassword: str} @returns(2XX) success @endpoint POST /{realm}/clients/{id}/certificates/{attr}/generate @desc Generate a new certificate with new key pair @returns(2XX) {certificate: str, kid: str, privateKey: str, publicKey: str} # success @endpoint POST /{realm}/clients/{id}/certificates/{attr}/generate-and-download @desc Generate a new keypair and certificate, and get the private key file Generates a keypair and certificate and serves the private key in a specified keystore format. @optional {format: str, keyAlias: str, keyPassword: str, realmAlias: str, realmCertificate: bool, storePassword: str} @returns(2XX) success @endpoint POST /{realm}/clients/{id}/certificates/{attr}/upload @desc Upload certificate and eventually private key @returns(2XX) {certificate: str, kid: str, privateKey: str, publicKey: str} # success @endpoint POST /{realm}/clients/{id}/certificates/{attr}/upload-certificate @desc Upload only certificate, not private key @returns(2XX) {certificate: str, kid: str, privateKey: str, publicKey: str} # success @endpoint GET /{realm}/clients/{id}/client-secret @desc Get the client secret @returns(2XX) {createdDate: int(int64), credentialData: str, id: str, priority: int(int32), secretData: str, temporary: bool, type: str, userLabel: str, value: str} # success @endpoint POST /{realm}/clients/{id}/client-secret @desc Generate a new secret for the client @returns(2XX) {createdDate: int(int64), credentialData: str, id: str, priority: int(int32), secretData: str, temporary: bool, type: str, userLabel: str, value: str} # success @endpoint GET /{realm}/clients/{id}/default-client-scopes @desc Get default client scopes. @returns(2XX) success @endpoint PUT /{realm}/clients/{id}/default-client-scopes/{clientScopeId} @returns(2XX) success @endpoint DELETE /{realm}/clients/{id}/default-client-scopes/{clientScopeId} @returns(2XX) success @endpoint GET /{realm}/clients/{id}/evaluate-scopes/generate-example-access-token @desc Create JSON with payload of example access token @optional {scope: str, userId: str} @returns(2XX) {acr: str, address: map{country: str, formatted: str, locality: str, postal_code: str, region: str, street_address: str}, allowed-origins: [str], at_hash: str, auth_time: int(int64), authorization: map{permissions: [map]}, azp: str, birthdate: str, c_hash: str, category: str, claims_locales: str, cnf: map{x5t#S256: str}, email: str, email_verified: bool, exp: int(int64), family_name: str, gender: str, given_name: str, iat: int(int64), iss: str, jti: str, locale: str, middle_name: str, name: str, nbf: int(int64), nickname: str, nonce: str, otherClaims: map, phone_number: str, phone_number_verified: bool, picture: str, preferred_username: str, profile: str, realm_access: map{roles: [str], verify_caller: bool}, s_hash: str, scope: str, session_state: str, sub: str, trusted-certs: [str], typ: str, updated_at: int(int64), website: str, zoneinfo: str} # success @endpoint GET /{realm}/clients/{id}/evaluate-scopes/protocol-mappers @desc Return list of all protocol mappers, which will be used when generating tokens issued for particular client. @optional {scope: str} @returns(2XX) success @endpoint GET /{realm}/clients/{id}/evaluate-scopes/scope-mappings/{roleContainerId}/granted @desc Get effective scope mapping of all roles of particular role container, which this client is defacto allowed to have in the accessToken issued for him. @optional {scope: str} @returns(2XX) success @endpoint GET /{realm}/clients/{id}/evaluate-scopes/scope-mappings/{roleContainerId}/not-granted @desc Get roles, which this client doesn’t have scope for and can’t have them in the accessToken issued for him. @optional {scope: str} @returns(2XX) success @endpoint GET /{realm}/clients/{id}/installation/providers/{providerId} @returns(2XX) success @endpoint GET /{realm}/clients/{id}/management/permissions @desc Return object stating whether client Authorization permissions have been initialized or not and a reference @returns(2XX) {enabled: bool, resource: str, scopePermissions: map} # success @endpoint PUT /{realm}/clients/{id}/management/permissions @desc Return object stating whether client Authorization permissions have been initialized or not and a reference @optional {enabled: bool, resource: str, scopePermissions: map} @returns(2XX) {enabled: bool, resource: str, scopePermissions: map} # success @endpoint POST /{realm}/clients/{id}/nodes @desc Register a cluster node with the client Manually register cluster node to this client - usually it’s not needed to call this directly as adapter should handle by sending registration request to Keycloak @returns(2XX) success @endpoint DELETE /{realm}/clients/{id}/nodes/{node} @desc Unregister a cluster node from the client @returns(2XX) success @endpoint GET /{realm}/clients/{id}/offline-session-count @desc Get application offline session count Returns a number of offline user sessions associated with this client { "count": number } @returns(2XX) success @endpoint GET /{realm}/clients/{id}/offline-sessions @desc Get offline sessions for client Returns a list of offline user sessions associated with this client @optional {first: int(int32) # Paging offset, max: int(int32) # Maximum results size (defaults to 100)} @returns(2XX) success @endpoint GET /{realm}/clients/{id}/optional-client-scopes @desc Get optional client scopes. @returns(2XX) success @endpoint PUT /{realm}/clients/{id}/optional-client-scopes/{clientScopeId} @returns(2XX) success @endpoint DELETE /{realm}/clients/{id}/optional-client-scopes/{clientScopeId} @returns(2XX) success @endpoint POST /{realm}/clients/{id}/protocol-mappers/add-models @desc Create multiple mappers @returns(2XX) success @endpoint GET /{realm}/clients/{id}/protocol-mappers/models @desc Get mappers @returns(2XX) success @endpoint POST /{realm}/clients/{id}/protocol-mappers/models @desc Create a mapper @optional {config: map, id: str, name: str, protocol: str, protocolMapper: str} @returns(2XX) success @endpoint GET /{realm}/clients/{id}/protocol-mappers/protocol/{protocol} @desc Get mappers by name for a specific protocol @returns(2XX) success @endpoint POST /{realm}/clients/{id}/push-revocation @desc Push the client’s revocation policy to its admin URL If the client has an admin URL, push revocation policy to it. @returns(2XX) {failedRequests: [str], successRequests: [str]} # success @endpoint POST /{realm}/clients/{id}/registration-access-token @desc Generate a new registration access token for the client @returns(2XX) {access: map, adminUrl: str, alwaysDisplayInConsole: bool, attributes: map, authenticationFlowBindingOverrides: map, authorizationServicesEnabled: bool, authorizationSettings: map{allowRemoteResourceManagement: bool, clientId: str, decisionStrategy: str, id: str, name: str, policies: [map], policyEnforcementMode: str, resources: [map], scopes: [map]}, baseUrl: str, bearerOnly: bool, clientAuthenticatorType: str, clientId: str, consentRequired: bool, defaultClientScopes: [str], defaultRoles: [str], description: str, directAccessGrantsEnabled: bool, enabled: bool, frontchannelLogout: bool, fullScopeAllowed: bool, id: str, implicitFlowEnabled: bool, name: str, nodeReRegistrationTimeout: int(int32), notBefore: int(int32), optionalClientScopes: [str], origin: str, protocol: str, protocolMappers: [map], publicClient: bool, redirectUris: [str], registeredNodes: map, registrationAccessToken: str, rootUrl: str, secret: str, serviceAccountsEnabled: bool, standardFlowEnabled: bool, surrogateAuthRequired: bool, webOrigins: [str]} # success @endpoint GET /{realm}/clients/{id}/roles @desc Get all roles for the realm or client @optional {briefRepresentation: bool, first: int(int32), max: int(int32), search: str} @returns(2XX) success @endpoint POST /{realm}/clients/{id}/roles @desc Create a new role for the realm or client @optional {attributes: map, clientRole: bool, composite: bool, composites: map{client: map, realm: [str]}, containerId: str, description: str, id: str, name: str} @returns(2XX) success @endpoint GET /{realm}/clients/{id}/roles/{role-name} @desc Get a role by name @returns(2XX) {attributes: map, clientRole: bool, composite: bool, composites: map{client: map, realm: [str]}, containerId: str, description: str, id: str, name: str} # success @endpoint PUT /{realm}/clients/{id}/roles/{role-name} @desc Update a role by name @optional {attributes: map, clientRole: bool, composite: bool, composites: map{client: map, realm: [str]}, containerId: str, description: str, id: str, name: str} @returns(2XX) success @endpoint DELETE /{realm}/clients/{id}/roles/{role-name} @desc Delete a role by name @returns(2XX) success @endpoint GET /{realm}/clients/{id}/roles/{role-name}/composites @desc Get composites of the role @returns(2XX) success @endpoint POST /{realm}/clients/{id}/roles/{role-name}/composites @desc Add a composite to the role @returns(2XX) success @endpoint DELETE /{realm}/clients/{id}/roles/{role-name}/composites @desc Remove roles from the role’s composite @returns(2XX) success @endpoint GET /{realm}/clients/{id}/roles/{role-name}/composites/clients/{client} @desc An app-level roles for the specified app for the role’s composite @returns(2XX) success @endpoint GET /{realm}/clients/{id}/roles/{role-name}/composites/realm @desc Get realm-level roles of the role’s composite @returns(2XX) success @endpoint GET /{realm}/clients/{id}/roles/{role-name}/groups @desc Return List of Groups that have the specified role name @optional {briefRepresentation: bool # if false, return a full representation of the GroupRepresentation objects, first: int(int32), max: int(int32)} @returns(2XX) success @endpoint GET /{realm}/clients/{id}/roles/{role-name}/management/permissions @desc Return object stating whether role Authoirzation permissions have been initialized or not and a reference @returns(2XX) {enabled: bool, resource: str, scopePermissions: map} # success @endpoint PUT /{realm}/clients/{id}/roles/{role-name}/management/permissions @desc Return object stating whether role Authoirzation permissions have been initialized or not and a reference @optional {enabled: bool, resource: str, scopePermissions: map} @returns(2XX) {enabled: bool, resource: str, scopePermissions: map} # success @endpoint GET /{realm}/clients/{id}/roles/{role-name}/users @desc Return List of Users that have the specified role name @optional {first: int(int32), max: int(int32)} @returns(2XX) success @endpoint GET /{realm}/clients/{id}/scope-mappings @desc Get all scope mappings for the client @returns(2XX) {clientMappings: map, realmMappings: [map]} # success @endpoint GET /{realm}/clients/{id}/scope-mappings/clients/{client} @desc Get the roles associated with a client’s scope Returns roles for the client. @returns(2XX) success @endpoint POST /{realm}/clients/{id}/scope-mappings/clients/{client} @desc Add client-level roles to the client’s scope @returns(2XX) success @endpoint DELETE /{realm}/clients/{id}/scope-mappings/clients/{client} @desc Remove client-level roles from the client’s scope. @returns(2XX) success @endpoint GET /{realm}/clients/{id}/scope-mappings/clients/{client}/available @desc The available client-level roles Returns the roles for the client that can be associated with the client’s scope @returns(2XX) success @endpoint GET /{realm}/clients/{id}/scope-mappings/clients/{client}/composite @desc Get effective client roles Returns the roles for the client that are associated with the client’s scope. @returns(2XX) success @endpoint GET /{realm}/clients/{id}/scope-mappings/realm @desc Get realm-level roles associated with the client’s scope @returns(2XX) success @endpoint POST /{realm}/clients/{id}/scope-mappings/realm @desc Add a set of realm-level roles to the client’s scope @returns(2XX) success @endpoint DELETE /{realm}/clients/{id}/scope-mappings/realm @desc Remove a set of realm-level roles from the client’s scope @returns(2XX) success @endpoint GET /{realm}/clients/{id}/scope-mappings/realm/available @desc Get realm-level roles that are available to attach to this client’s scope @returns(2XX) success @endpoint GET /{realm}/clients/{id}/scope-mappings/realm/composite @desc Get effective realm-level roles associated with the client’s scope What this does is recurse any composite roles associated with the client’s scope and adds the roles to this lists. @returns(2XX) success @endpoint GET /{realm}/clients/{id}/service-account-user @desc Get a user dedicated to the service account @returns(2XX) {access: map, attributes: map, clientConsents: [map], clientRoles: map, createdTimestamp: int(int64), credentials: [map], disableableCredentialTypes: [str], email: str, emailVerified: bool, enabled: bool, federatedIdentities: [map], federationLink: str, firstName: str, groups: [str], id: str, lastName: str, notBefore: int(int32), origin: str, realmRoles: [str], requiredActions: [str], self: str, serviceAccountClientId: str, username: str} # success @endpoint GET /{realm}/clients/{id}/session-count @desc Get application session count Returns a number of user sessions associated with this client { "count": number } @returns(2XX) success @endpoint GET /{realm}/clients/{id}/test-nodes-available @desc Test if registered cluster nodes are available Tests availability by sending 'ping' request to all cluster nodes. @returns(2XX) {failedRequests: [str], successRequests: [str]} # success @endpoint GET /{realm}/clients/{id}/user-sessions @desc Get user sessions for client Returns a list of user sessions associated with this client @optional {first: int(int32) # Paging offset, max: int(int32) # Maximum results size (defaults to 100)} @returns(2XX) success @endpoint GET /{realm}/components @optional {name: str, parent: str, type: str} @returns(2XX) success @endpoint POST /{realm}/components @optional {config: map{empty: bool, loadFactor: num(float), threshold: int(int32)}, id: str, name: str, parentId: str, providerId: str, providerType: str, subType: str} @returns(2XX) success @endpoint GET /{realm}/components/{id} @returns(2XX) {config: map{empty: bool, loadFactor: num(float), threshold: int(int32)}, id: str, name: str, parentId: str, providerId: str, providerType: str, subType: str} # success @endpoint PUT /{realm}/components/{id} @optional {config: map{empty: bool, loadFactor: num(float), threshold: int(int32)}, id: str, name: str, parentId: str, providerId: str, providerType: str, subType: str} @returns(2XX) success @endpoint DELETE /{realm}/components/{id} @returns(2XX) success @endpoint GET /{realm}/components/{id}/sub-component-types @desc List of subcomponent types that are available to configure for a particular parent component. @optional {type: str} @returns(2XX) success @endpoint GET /{realm}/credential-registrators @returns(2XX) success @endpoint GET /{realm}/default-default-client-scopes @desc Get realm default client scopes. @returns(2XX) success @endpoint PUT /{realm}/default-default-client-scopes/{clientScopeId} @returns(2XX) success @endpoint DELETE /{realm}/default-default-client-scopes/{clientScopeId} @returns(2XX) success @endpoint GET /{realm}/default-groups @desc Get group hierarchy. @returns(2XX) success @endpoint PUT /{realm}/default-groups/{groupId} @returns(2XX) success @endpoint DELETE /{realm}/default-groups/{groupId} @returns(2XX) success @endpoint GET /{realm}/default-optional-client-scopes @desc Get realm optional client scopes. @returns(2XX) success @endpoint PUT /{realm}/default-optional-client-scopes/{clientScopeId} @returns(2XX) success @endpoint DELETE /{realm}/default-optional-client-scopes/{clientScopeId} @returns(2XX) success @endpoint GET /{realm}/events @desc Get events Returns all events, or filters them based on URL query parameters listed here @optional {client: str # App or oauth client name, dateFrom: str # From date, dateTo: str # To date, first: int(int32) # Paging offset, ipAddress: str # IP address, max: int(int32) # Maximum results size (defaults to 100), type: [str] # The types of events to return, user: str # User id} @returns(2XX) success @endpoint DELETE /{realm}/events @desc Delete all events @returns(2XX) success @endpoint GET /{realm}/events/config @desc Get the events provider configuration Returns JSON object with events provider configuration @returns(2XX) {adminEventsDetailsEnabled: bool, adminEventsEnabled: bool, enabledEventTypes: [str], eventsEnabled: bool, eventsExpiration: int(int64), eventsListeners: [str]} # success @endpoint PUT /{realm}/events/config @desc Update the events provider Change the events provider and/or its configuration @optional {adminEventsDetailsEnabled: bool, adminEventsEnabled: bool, enabledEventTypes: [str], eventsEnabled: bool, eventsExpiration: int(int64), eventsListeners: [str]} @returns(2XX) success @endpoint GET /{realm}/group-by-path/{path} @returns(2XX) {access: map, attributes: map, clientRoles: map, id: str, name: str, path: str, realmRoles: [str], subGroups: [map]} # success @endpoint GET /{realm}/groups @desc Get group hierarchy. @optional {briefRepresentation: bool, first: int(int32), max: int(int32), search: str} @returns(2XX) success @endpoint POST /{realm}/groups @desc create or add a top level realm groupSet or create child. @optional {access: map, attributes: map, clientRoles: map, id: str, name: str, path: str, realmRoles: [str], subGroups: [map{access: map, attributes: map, clientRoles: map, id: str, name: str, path: str, realmRoles: [str], subGroups: [map]}]} @returns(2XX) success @endpoint GET /{realm}/groups/count @desc Returns the groups counts. @optional {search: str, top: bool} @returns(2XX) success @endpoint GET /{realm}/groups/{id} @returns(2XX) {access: map, attributes: map, clientRoles: map, id: str, name: str, path: str, realmRoles: [str], subGroups: [map]} # success @endpoint PUT /{realm}/groups/{id} @desc Update group, ignores subgroups. @optional {access: map, attributes: map, clientRoles: map, id: str, name: str, path: str, realmRoles: [str], subGroups: [map{access: map, attributes: map, clientRoles: map, id: str, name: str, path: str, realmRoles: [str], subGroups: [map]}]} @returns(2XX) success @endpoint DELETE /{realm}/groups/{id} @returns(2XX) success @endpoint POST /{realm}/groups/{id}/children @desc Set or create child. @optional {access: map, attributes: map, clientRoles: map, id: str, name: str, path: str, realmRoles: [str], subGroups: [map{access: map, attributes: map, clientRoles: map, id: str, name: str, path: str, realmRoles: [str], subGroups: [map]}]} @returns(2XX) success @endpoint GET /{realm}/groups/{id}/management/permissions @desc Return object stating whether client Authorization permissions have been initialized or not and a reference @returns(2XX) {enabled: bool, resource: str, scopePermissions: map} # success @endpoint PUT /{realm}/groups/{id}/management/permissions @desc Return object stating whether client Authorization permissions have been initialized or not and a reference @optional {enabled: bool, resource: str, scopePermissions: map} @returns(2XX) {enabled: bool, resource: str, scopePermissions: map} # success @endpoint GET /{realm}/groups/{id}/members @desc Get users Returns a list of users, filtered according to query parameters @optional {briefRepresentation: bool # Only return basic information (only guaranteed to return id, username, created, first and last name, email, enabled state, email verification state, federation link, and access. Note that it means that namely user attributes, required actions, and not before are not returned.), first: int(int32) # Pagination offset, max: int(int32) # Maximum results size (defaults to 100)} @returns(2XX) success @endpoint GET /{realm}/groups/{id}/role-mappings @desc Get role mappings @returns(2XX) {clientMappings: map, realmMappings: [map]} # success @endpoint GET /{realm}/groups/{id}/role-mappings/clients/{client} @desc Get client-level role mappings for the user, and the app @returns(2XX) success @endpoint POST /{realm}/groups/{id}/role-mappings/clients/{client} @desc Add client-level roles to the user role mapping @returns(2XX) success @endpoint DELETE /{realm}/groups/{id}/role-mappings/clients/{client} @desc Delete client-level roles from user role mapping @returns(2XX) success @endpoint GET /{realm}/groups/{id}/role-mappings/clients/{client}/available @desc Get available client-level roles that can be mapped to the user @returns(2XX) success @endpoint GET /{realm}/groups/{id}/role-mappings/clients/{client}/composite @desc Get effective client-level role mappings This recurses any composite roles @returns(2XX) success @endpoint GET /{realm}/groups/{id}/role-mappings/realm @desc Get realm-level role mappings @returns(2XX) success @endpoint POST /{realm}/groups/{id}/role-mappings/realm @desc Add realm-level role mappings to the user @returns(2XX) success @endpoint DELETE /{realm}/groups/{id}/role-mappings/realm @desc Delete realm-level role mappings @returns(2XX) success @endpoint GET /{realm}/groups/{id}/role-mappings/realm/available @desc Get realm-level roles that can be mapped @returns(2XX) success @endpoint GET /{realm}/groups/{id}/role-mappings/realm/composite @desc Get effective realm-level role mappings This will recurse all composite roles to get the result. @returns(2XX) success @endpoint POST /{realm}/identity-provider/import-config @desc Import identity provider from uploaded JSON file @returns(2XX) success @endpoint GET /{realm}/identity-provider/instances @desc Get identity providers @returns(2XX) success @endpoint POST /{realm}/identity-provider/instances @desc Create a new identity provider @optional {addReadTokenRoleOnCreate: bool, alias: str, config: map, displayName: str, enabled: bool, firstBrokerLoginFlowAlias: str, internalId: str, linkOnly: bool, postBrokerLoginFlowAlias: str, providerId: str, storeToken: bool, trustEmail: bool} @returns(2XX) success @endpoint GET /{realm}/identity-provider/instances/{alias} @desc Get the identity provider @returns(2XX) {addReadTokenRoleOnCreate: bool, alias: str, config: map, displayName: str, enabled: bool, firstBrokerLoginFlowAlias: str, internalId: str, linkOnly: bool, postBrokerLoginFlowAlias: str, providerId: str, storeToken: bool, trustEmail: bool} # success @endpoint PUT /{realm}/identity-provider/instances/{alias} @desc Update the identity provider @optional {addReadTokenRoleOnCreate: bool, alias: str, config: map, displayName: str, enabled: bool, firstBrokerLoginFlowAlias: str, internalId: str, linkOnly: bool, postBrokerLoginFlowAlias: str, providerId: str, storeToken: bool, trustEmail: bool} @returns(2XX) success @endpoint DELETE /{realm}/identity-provider/instances/{alias} @desc Delete the identity provider @returns(2XX) success @endpoint GET /{realm}/identity-provider/instances/{alias}/export @desc Export public broker configuration for identity provider @optional {format: str # Format to use} @returns(2XX) success @endpoint GET /{realm}/identity-provider/instances/{alias}/management/permissions @desc Return object stating whether client Authorization permissions have been initialized or not and a reference @returns(2XX) {enabled: bool, resource: str, scopePermissions: map} # success @endpoint PUT /{realm}/identity-provider/instances/{alias}/management/permissions @desc Return object stating whether client Authorization permissions have been initialized or not and a reference @optional {enabled: bool, resource: str, scopePermissions: map} @returns(2XX) {enabled: bool, resource: str, scopePermissions: map} # success @endpoint GET /{realm}/identity-provider/instances/{alias}/mapper-types @desc Get mapper types for identity provider @returns(2XX) success @endpoint GET /{realm}/identity-provider/instances/{alias}/mappers @desc Get mappers for identity provider @returns(2XX) success @endpoint POST /{realm}/identity-provider/instances/{alias}/mappers @desc Add a mapper to identity provider @optional {config: map, id: str, identityProviderAlias: str, identityProviderMapper: str, name: str} @returns(2XX) success @endpoint GET /{realm}/identity-provider/instances/{alias}/mappers/{id} @desc Get mapper by id for the identity provider @returns(2XX) {config: map, id: str, identityProviderAlias: str, identityProviderMapper: str, name: str} # success @endpoint PUT /{realm}/identity-provider/instances/{alias}/mappers/{id} @desc Update a mapper for the identity provider @optional {config: map, id: str, identityProviderAlias: str, identityProviderMapper: str, name: str} @returns(2XX) success @endpoint DELETE /{realm}/identity-provider/instances/{alias}/mappers/{id} @desc Delete a mapper for the identity provider @returns(2XX) success @endpoint GET /{realm}/identity-provider/providers/{provider_id} @desc Get identity providers @returns(2XX) success @endpoint GET /{realm}/keys @returns(2XX) {active: map, keys: [map]} # success @endpoint POST /{realm}/logout-all @desc Removes all user sessions. @returns(2XX) success @endpoint POST /{realm}/partial-export @desc Partial export of existing realm into a JSON file. @optional {exportClients: bool, exportGroupsAndRoles: bool} @returns(2XX) {accessCodeLifespan: int(int32), accessCodeLifespanLogin: int(int32), accessCodeLifespanUserAction: int(int32), accessTokenLifespan: int(int32), accessTokenLifespanForImplicitFlow: int(int32), accountTheme: str, actionTokenGeneratedByAdminLifespan: int(int32), actionTokenGeneratedByUserLifespan: int(int32), adminEventsDetailsEnabled: bool, adminEventsEnabled: bool, adminTheme: str, attributes: map, authenticationFlows: [map], authenticatorConfig: [map], browserFlow: str, browserSecurityHeaders: map, bruteForceProtected: bool, clientAuthenticationFlow: str, clientScopeMappings: map, clientScopes: [map], clientSessionIdleTimeout: int(int32), clientSessionMaxLifespan: int(int32), clients: [map], components: map{empty: bool, loadFactor: num(float), threshold: int(int32)}, defaultDefaultClientScopes: [str], defaultGroups: [str], defaultLocale: str, defaultOptionalClientScopes: [str], defaultRoles: [str], defaultSignatureAlgorithm: str, directGrantFlow: str, displayName: str, displayNameHtml: str, dockerAuthenticationFlow: str, duplicateEmailsAllowed: bool, editUsernameAllowed: bool, emailTheme: str, enabled: bool, enabledEventTypes: [str], eventsEnabled: bool, eventsExpiration: int(int64), eventsListeners: [str], failureFactor: int(int32), federatedUsers: [map], groups: [map], id: str, identityProviderMappers: [map], identityProviders: [map], internationalizationEnabled: bool, keycloakVersion: str, loginTheme: str, loginWithEmailAllowed: bool, maxDeltaTimeSeconds: int(int32), maxFailureWaitSeconds: int(int32), minimumQuickLoginWaitSeconds: int(int32), notBefore: int(int32), offlineSessionIdleTimeout: int(int32), offlineSessionMaxLifespan: int(int32), offlineSessionMaxLifespanEnabled: bool, otpPolicyAlgorithm: str, otpPolicyDigits: int(int32), otpPolicyInitialCounter: int(int32), otpPolicyLookAheadWindow: int(int32), otpPolicyPeriod: int(int32), otpPolicyType: str, otpSupportedApplications: [str], passwordPolicy: str, permanentLockout: bool, protocolMappers: [map], quickLoginCheckMilliSeconds: int(int64), realm: str, refreshTokenMaxReuse: int(int32), registrationAllowed: bool, registrationEmailAsUsername: bool, registrationFlow: str, rememberMe: bool, requiredActions: [map], resetCredentialsFlow: str, resetPasswordAllowed: bool, revokeRefreshToken: bool, roles: map{client: map, realm: [map]}, scopeMappings: [map], smtpServer: map, sslRequired: str, ssoSessionIdleTimeout: int(int32), ssoSessionIdleTimeoutRememberMe: int(int32), ssoSessionMaxLifespan: int(int32), ssoSessionMaxLifespanRememberMe: int(int32), supportedLocales: [str], userFederationMappers: [map], userFederationProviders: [map], userManagedAccessAllowed: bool, users: [map], verifyEmail: bool, waitIncrementSeconds: int(int32), webAuthnPolicyAcceptableAaguids: [str], webAuthnPolicyAttestationConveyancePreference: str, webAuthnPolicyAuthenticatorAttachment: str, webAuthnPolicyAvoidSameAuthenticatorRegister: bool, webAuthnPolicyCreateTimeout: int(int32), webAuthnPolicyPasswordlessAcceptableAaguids: [str], webAuthnPolicyPasswordlessAttestationConveyancePreference: str, webAuthnPolicyPasswordlessAuthenticatorAttachment: str, webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister: bool, webAuthnPolicyPasswordlessCreateTimeout: int(int32), webAuthnPolicyPasswordlessRequireResidentKey: str, webAuthnPolicyPasswordlessRpEntityName: str, webAuthnPolicyPasswordlessRpId: str, webAuthnPolicyPasswordlessSignatureAlgorithms: [str], webAuthnPolicyPasswordlessUserVerificationRequirement: str, webAuthnPolicyRequireResidentKey: str, webAuthnPolicyRpEntityName: str, webAuthnPolicyRpId: str, webAuthnPolicySignatureAlgorithms: [str], webAuthnPolicyUserVerificationRequirement: str} # success @endpoint POST /{realm}/partialImport @desc Partial import from a JSON file to an existing realm. @optional {clients: [map{access: map, adminUrl: str, alwaysDisplayInConsole: bool, attributes: map, authenticationFlowBindingOverrides: map, authorizationServicesEnabled: bool, authorizationSettings: map, baseUrl: str, bearerOnly: bool, clientAuthenticatorType: str, clientId: str, consentRequired: bool, defaultClientScopes: [str], defaultRoles: [str], description: str, directAccessGrantsEnabled: bool, enabled: bool, frontchannelLogout: bool, fullScopeAllowed: bool, id: str, implicitFlowEnabled: bool, name: str, nodeReRegistrationTimeout: int(int32), notBefore: int(int32), optionalClientScopes: [str], origin: str, protocol: str, protocolMappers: [map], publicClient: bool, redirectUris: [str], registeredNodes: map, registrationAccessToken: str, rootUrl: str, secret: str, serviceAccountsEnabled: bool, standardFlowEnabled: bool, surrogateAuthRequired: bool, webOrigins: [str]}], groups: [map{access: map, attributes: map, clientRoles: map, id: str, name: str, path: str, realmRoles: [str], subGroups: [map]}], identityProviders: [map{addReadTokenRoleOnCreate: bool, alias: str, config: map, displayName: str, enabled: bool, firstBrokerLoginFlowAlias: str, internalId: str, linkOnly: bool, postBrokerLoginFlowAlias: str, providerId: str, storeToken: bool, trustEmail: bool}], ifResourceExists: str, policy: str(SKIP/OVERWRITE/FAIL), roles: map{client: map, realm: [map]}, users: [map{access: map, attributes: map, clientConsents: [map], clientRoles: map, createdTimestamp: int(int64), credentials: [map], disableableCredentialTypes: [str], email: str, emailVerified: bool, enabled: bool, federatedIdentities: [map], federationLink: str, firstName: str, groups: [str], id: str, lastName: str, notBefore: int(int32), origin: str, realmRoles: [str], requiredActions: [str], self: str, serviceAccountClientId: str, username: str}]} @returns(2XX) success @endpoint POST /{realm}/push-revocation @desc Push the realm’s revocation policy to any client that has an admin url associated with it. @returns(2XX) success @endpoint GET /{realm}/roles @desc Get all roles for the realm or client @optional {briefRepresentation: bool, first: int(int32), max: int(int32), search: str} @returns(2XX) success @endpoint POST /{realm}/roles @desc Create a new role for the realm or client @optional {attributes: map, clientRole: bool, composite: bool, composites: map{client: map, realm: [str]}, containerId: str, description: str, id: str, name: str} @returns(2XX) success @endpoint GET /{realm}/roles-by-id/{role-id} @desc Get a specific role’s representation @returns(2XX) {attributes: map, clientRole: bool, composite: bool, composites: map{client: map, realm: [str]}, containerId: str, description: str, id: str, name: str} # success @endpoint PUT /{realm}/roles-by-id/{role-id} @desc Update the role @optional {attributes: map, clientRole: bool, composite: bool, composites: map{client: map, realm: [str]}, containerId: str, description: str, id: str, name: str} @returns(2XX) success @endpoint DELETE /{realm}/roles-by-id/{role-id} @desc Delete the role @returns(2XX) success @endpoint GET /{realm}/roles-by-id/{role-id}/composites @desc Get role’s children Returns a set of role’s children provided the role is a composite. @returns(2XX) success @endpoint POST /{realm}/roles-by-id/{role-id}/composites @desc Make the role a composite role by associating some child roles @returns(2XX) success @endpoint DELETE /{realm}/roles-by-id/{role-id}/composites @desc Remove a set of roles from the role’s composite @returns(2XX) success @endpoint GET /{realm}/roles-by-id/{role-id}/composites/clients/{client} @desc Get client-level roles for the client that are in the role’s composite @returns(2XX) success @endpoint GET /{realm}/roles-by-id/{role-id}/composites/realm @desc Get realm-level roles that are in the role’s composite @returns(2XX) success @endpoint GET /{realm}/roles-by-id/{role-id}/management/permissions @desc Return object stating whether role Authoirzation permissions have been initialized or not and a reference @returns(2XX) {enabled: bool, resource: str, scopePermissions: map} # success @endpoint PUT /{realm}/roles-by-id/{role-id}/management/permissions @desc Return object stating whether role Authoirzation permissions have been initialized or not and a reference @optional {enabled: bool, resource: str, scopePermissions: map} @returns(2XX) {enabled: bool, resource: str, scopePermissions: map} # success @endpoint GET /{realm}/roles/{role-name} @desc Get a role by name @returns(2XX) {attributes: map, clientRole: bool, composite: bool, composites: map{client: map, realm: [str]}, containerId: str, description: str, id: str, name: str} # success @endpoint PUT /{realm}/roles/{role-name} @desc Update a role by name @optional {attributes: map, clientRole: bool, composite: bool, composites: map{client: map, realm: [str]}, containerId: str, description: str, id: str, name: str} @returns(2XX) success @endpoint DELETE /{realm}/roles/{role-name} @desc Delete a role by name @returns(2XX) success @endpoint GET /{realm}/roles/{role-name}/composites @desc Get composites of the role @returns(2XX) success @endpoint POST /{realm}/roles/{role-name}/composites @desc Add a composite to the role @returns(2XX) success @endpoint DELETE /{realm}/roles/{role-name}/composites @desc Remove roles from the role’s composite @returns(2XX) success @endpoint GET /{realm}/roles/{role-name}/composites/clients/{client} @desc An app-level roles for the specified app for the role’s composite @returns(2XX) success @endpoint GET /{realm}/roles/{role-name}/composites/realm @desc Get realm-level roles of the role’s composite @returns(2XX) success @endpoint GET /{realm}/roles/{role-name}/groups @desc Return List of Groups that have the specified role name @optional {briefRepresentation: bool # if false, return a full representation of the GroupRepresentation objects, first: int(int32), max: int(int32)} @returns(2XX) success @endpoint GET /{realm}/roles/{role-name}/management/permissions @desc Return object stating whether role Authoirzation permissions have been initialized or not and a reference @returns(2XX) {enabled: bool, resource: str, scopePermissions: map} # success @endpoint PUT /{realm}/roles/{role-name}/management/permissions @desc Return object stating whether role Authoirzation permissions have been initialized or not and a reference @optional {enabled: bool, resource: str, scopePermissions: map} @returns(2XX) {enabled: bool, resource: str, scopePermissions: map} # success @endpoint GET /{realm}/roles/{role-name}/users @desc Return List of Users that have the specified role name @optional {first: int(int32), max: int(int32)} @returns(2XX) success @endpoint DELETE /{realm}/sessions/{session} @desc Remove a specific user session. @returns(2XX) success @endpoint POST /{realm}/testLDAPConnection @desc Test LDAP connection @optional {action: str, bindCredential: str, bindDn: str, componentId: str, connectionTimeout: str, connectionUrl: str, startTls: str, useTruststoreSpi: str} @returns(2XX) success @endpoint POST /{realm}/testSMTPConnection @returns(2XX) success @endpoint GET /{realm}/user-storage/{id}/name @desc Need this for admin console to display simple name of provider when displaying user detail KEYCLOAK-4328 @returns(2XX) success @endpoint POST /{realm}/user-storage/{id}/remove-imported-users @desc Remove imported users @returns(2XX) success @endpoint POST /{realm}/user-storage/{id}/sync @desc Trigger sync of users Action can be "triggerFullSync" or "triggerChangedUsersSync" @optional {action: str} @returns(2XX) {added: int(int32), failed: int(int32), ignored: bool, removed: int(int32), status: str, updated: int(int32)} # success @endpoint POST /{realm}/user-storage/{id}/unlink-users @desc Unlink imported users from a storage provider @returns(2XX) success @endpoint POST /{realm}/user-storage/{parentId}/mappers/{id}/sync @desc Trigger sync of mapper data related to ldap mapper (roles, groups, …​) direction is "fedToKeycloak" or "keycloakToFed" @optional {direction: str} @returns(2XX) {added: int(int32), failed: int(int32), ignored: bool, removed: int(int32), status: str, updated: int(int32)} # success @endpoint GET /{realm}/users @desc Get users Returns a list of users, filtered according to query parameters @optional {briefRepresentation: bool, email: str, first: int(int32), firstName: str, lastName: str, max: int(int32) # Maximum results size (defaults to 100), search: str # A String contained in username, first or last name, or email, username: str} @returns(2XX) success @endpoint POST /{realm}/users @desc Create a new user Username must be unique. @optional {access: map, attributes: map, clientConsents: [map{clientId: str, createdDate: int(int64), grantedClientScopes: [str], lastUpdatedDate: int(int64)}], clientRoles: map, createdTimestamp: int(int64), credentials: [map{createdDate: int(int64), credentialData: str, id: str, priority: int(int32), secretData: str, temporary: bool, type: str, userLabel: str, value: str}], disableableCredentialTypes: [str], email: str, emailVerified: bool, enabled: bool, federatedIdentities: [map{identityProvider: str, userId: str, userName: str}], federationLink: str, firstName: str, groups: [str], id: str, lastName: str, notBefore: int(int32), origin: str, realmRoles: [str], requiredActions: [str], self: str, serviceAccountClientId: str, username: str} @returns(2XX) success @endpoint GET /{realm}/users-management-permissions @returns(2XX) {enabled: bool, resource: str, scopePermissions: map} # success @endpoint PUT /{realm}/users-management-permissions @optional {enabled: bool, resource: str, scopePermissions: map} @returns(2XX) {enabled: bool, resource: str, scopePermissions: map} # success @endpoint GET /{realm}/users/count @desc Returns the number of users that match the given criteria. @optional {email: str # email filter, firstName: str # first name filter, lastName: str # last name filter, search: str # arbitrary search string for all the fields below, username: str # username filter} @returns(2XX) success @endpoint GET /{realm}/users/{id} @desc Get representation of the user @returns(2XX) {access: map, attributes: map, clientConsents: [map], clientRoles: map, createdTimestamp: int(int64), credentials: [map], disableableCredentialTypes: [str], email: str, emailVerified: bool, enabled: bool, federatedIdentities: [map], federationLink: str, firstName: str, groups: [str], id: str, lastName: str, notBefore: int(int32), origin: str, realmRoles: [str], requiredActions: [str], self: str, serviceAccountClientId: str, username: str} # success @endpoint PUT /{realm}/users/{id} @desc Update the user @optional {access: map, attributes: map, clientConsents: [map{clientId: str, createdDate: int(int64), grantedClientScopes: [str], lastUpdatedDate: int(int64)}], clientRoles: map, createdTimestamp: int(int64), credentials: [map{createdDate: int(int64), credentialData: str, id: str, priority: int(int32), secretData: str, temporary: bool, type: str, userLabel: str, value: str}], disableableCredentialTypes: [str], email: str, emailVerified: bool, enabled: bool, federatedIdentities: [map{identityProvider: str, userId: str, userName: str}], federationLink: str, firstName: str, groups: [str], id: str, lastName: str, notBefore: int(int32), origin: str, realmRoles: [str], requiredActions: [str], self: str, serviceAccountClientId: str, username: str} @returns(2XX) success @endpoint DELETE /{realm}/users/{id} @desc Delete the user @returns(2XX) success @endpoint GET /{realm}/users/{id}/configured-user-storage-credential-types @desc Return credential types, which are provided by the user storage where user is stored. @returns(2XX) success @endpoint GET /{realm}/users/{id}/consents @desc Get consents granted by the user @returns(2XX) success @endpoint DELETE /{realm}/users/{id}/consents/{client} @desc Revoke consent and offline tokens for particular client from user @returns(2XX) success @endpoint GET /{realm}/users/{id}/credentials @returns(2XX) success @endpoint DELETE /{realm}/users/{id}/credentials/{credentialId} @desc Remove a credential for a user @returns(2XX) success @endpoint POST /{realm}/users/{id}/credentials/{credentialId}/moveAfter/{newPreviousCredentialId} @desc Move a credential to a position behind another credential @returns(2XX) success @endpoint POST /{realm}/users/{id}/credentials/{credentialId}/moveToFirst @desc Move a credential to a first position in the credentials list of the user @returns(2XX) success @endpoint PUT /{realm}/users/{id}/credentials/{credentialId}/userLabel @desc Update a credential label for a user @returns(2XX) success @endpoint PUT /{realm}/users/{id}/disable-credential-types @desc Disable all credentials for a user of a specific type @returns(2XX) success @endpoint PUT /{realm}/users/{id}/execute-actions-email @desc Send a update account email to the user An email contains a link the user can click to perform a set of required actions. @optional {client_id: str # Client id, lifespan: int(int32) # Number of seconds after which the generated token expires, redirect_uri: str # Redirect uri} @returns(2XX) success @endpoint GET /{realm}/users/{id}/federated-identity @desc Get social logins associated with the user @returns(2XX) success @endpoint POST /{realm}/users/{id}/federated-identity/{provider} @desc Add a social login provider to the user @optional {identityProvider: str, userId: str, userName: str} @returns(2XX) success @endpoint DELETE /{realm}/users/{id}/federated-identity/{provider} @desc Remove a social login provider from user @returns(2XX) success @endpoint GET /{realm}/users/{id}/groups @optional {briefRepresentation: bool, first: int(int32), max: int(int32), search: str} @returns(2XX) success @endpoint GET /{realm}/users/{id}/groups/count @optional {search: str} @returns(2XX) success @endpoint PUT /{realm}/users/{id}/groups/{groupId} @returns(2XX) success @endpoint DELETE /{realm}/users/{id}/groups/{groupId} @returns(2XX) success @endpoint POST /{realm}/users/{id}/impersonation @desc Impersonate the user @returns(2XX) success @endpoint POST /{realm}/users/{id}/logout @desc Remove all user sessions associated with the user Also send notification to all clients that have an admin URL to invalidate the sessions for the particular user. @returns(2XX) success @endpoint GET /{realm}/users/{id}/offline-sessions/{clientId} @desc Get offline sessions associated with the user and client @returns(2XX) success @endpoint PUT /{realm}/users/{id}/reset-password @desc Set up a new password for the user. @optional {createdDate: int(int64), credentialData: str, id: str, priority: int(int32), secretData: str, temporary: bool, type: str, userLabel: str, value: str} @returns(2XX) success @endpoint GET /{realm}/users/{id}/role-mappings @desc Get role mappings @returns(2XX) {clientMappings: map, realmMappings: [map]} # success @endpoint GET /{realm}/users/{id}/role-mappings/clients/{client} @desc Get client-level role mappings for the user, and the app @returns(2XX) success @endpoint POST /{realm}/users/{id}/role-mappings/clients/{client} @desc Add client-level roles to the user role mapping @returns(2XX) success @endpoint DELETE /{realm}/users/{id}/role-mappings/clients/{client} @desc Delete client-level roles from user role mapping @returns(2XX) success @endpoint GET /{realm}/users/{id}/role-mappings/clients/{client}/available @desc Get available client-level roles that can be mapped to the user @returns(2XX) success @endpoint GET /{realm}/users/{id}/role-mappings/clients/{client}/composite @desc Get effective client-level role mappings This recurses any composite roles @returns(2XX) success @endpoint GET /{realm}/users/{id}/role-mappings/realm @desc Get realm-level role mappings @returns(2XX) success @endpoint POST /{realm}/users/{id}/role-mappings/realm @desc Add realm-level role mappings to the user @returns(2XX) success @endpoint DELETE /{realm}/users/{id}/role-mappings/realm @desc Delete realm-level role mappings @returns(2XX) success @endpoint GET /{realm}/users/{id}/role-mappings/realm/available @desc Get realm-level roles that can be mapped @returns(2XX) success @endpoint GET /{realm}/users/{id}/role-mappings/realm/composite @desc Get effective realm-level role mappings This will recurse all composite roles to get the result. @returns(2XX) success @endpoint PUT /{realm}/users/{id}/send-verify-email @desc Send an email-verification email to the user An email contains a link the user can click to verify their email address. @optional {client_id: str # Client id, redirect_uri: str # Redirect uri} @returns(2XX) success @endpoint GET /{realm}/users/{id}/sessions @desc Get sessions associated with the user @returns(2XX) success @endgroup @end