How do I create policies via API

1

Hello team,

How do I create policies (i.e User policies, group policies) programmatically via APIs.

I found a apis related to created polices, but none of them seems to create (POST) a policy.

GET /{realm}/client-policies/policies
PUT /{realm}/client-policies/policies

2

Hi,

If you want to use Rest directly, check keycloak admin gui - it calls Rest api behind the scenes. Just do Inspect in browser and then check network traffic

refer this link Keycloak Authorization APIs to create Policies, Permissions and Resources

3

I’m looking for the same. I able to create a postman with multiple requests, like get list of users/logig etc.
But straggling with the creating policy call.
So far I found that I need to do a POST to:
{{authUrl}}/admin/realms/tyk/clients/{{clientId}}/authz/resource-server/policy/role
With JSON body:

{
    "type": "role",
    "logic": "POSITIVE",
    "decisionStrategy": "UNANIMOUS",
    "name": "Admin role policy",
    "description": "Only admin role policy",
    "roles": [
        {
            "id": "b026ef11-6a6d-44da-a477-12d483cc6ef4",
            "required": true
        }
    ]
}

At least this call I see from gui. But in postman I always getting: error: “unknow_error” 403 Forbidden

Am I missing some previous call to obtain some extra authorization token apart of login?

1 Like
4

Is there any solution to this problem? Because I’m trying to use keycloak-admin-client library to create policies programmatically, but there is no way to do it…

5

For me below curl commands works:

commands:

curl -X POST https://keycloak.local/admin/realms/opendesk/clients/<realm-management-id>/authz/resource-server/policy/client \
--header "Authorization: Bearer ""$MASTER_TOKEN" \          
--header "Content-Type: application/json" \
 --data '{"clients":["<id-of-client>"],
"logic":"POSITIVE",                
"name":"<name-of-policy>",                                     
"description":"<description>"}'

Output/Response:

{"id":"baedXXXX-XXX-XXXX-XXXX-2c72b304f7a3","name":"<client-id>","description":"","type":"client","logic":"POSITIVE","decisionStrategy":"UNANIMOUS","clients":["<id-of-client>"]}
Keycloak Authorization APIs to create Policies, Permissions and Resources
6

You need to set the appropriate permissions for the confidential client whose token you are using:

Under the Service Accounts Roles for that client, click on Assign Role and then select the relevant “client” roles. This should resolve the 403 error. I’m not sure exactly which roles are relevant, but as a starting point, you could assign it ALL the available roles (this is not a safe practice though, you would need to identify which roles are relevant.