Stop keycloak from assigned default roles to users

qiksar · February 13, 2022, 4:18am

I require each user in my realm to have only one role. But I can’t get to this state because, when a new user is created Keycloak adds the default-roles-(realmname) to the user’s roles. So my app role is appended to the list so to speak. I don’t want Keycloak to assign any roles to my users other than those that I specify.

A default answer to this question might be “delete the role after the user is created” but that would require admin level access, and I don’t want to give my API which creates the user that level of access.

I’d prefer Keycloak didn’t assign any roles, as why would you want some other system controlling the access and permissions that your users are assigned?

Any tips on this one?

Thanks

c-campos_oribi · January 7, 2026, 9:29am

did you solve this?
I’m facing the same issue.

Thanks!

dasniko · January 7, 2026, 12:16pm

It’s not possible to prevent the auto-assignment of the default-roles-<realm>.
If you don’t assign any roles to the default-roles-…, then the user as actually no role and thus no permissions to anything.
Of course you can delete the role assignment right after the user has been created. If you create the user through the API, like the OP mentioned, your API already has the right to modify the user and thus to unassign the default-roles.

Topic		Replies	Views
Sync Keycloak default client role to existing users Getting advice	0	313	October 10, 2022
Realm Roles not assigned while creating users using java keycloak-admin-client admin-rest	0	1063	December 15, 2020
If i remove "uma_authorization" from user roles, i am not able to login with that user Getting advice	0	633	November 1, 2023
Realm role is not assigned while creating user Getting advice admin-console	6	7197	October 26, 2024
Default Realm Role	1	2002	June 16, 2022

Stop keycloak from assigned default roles to users

Related topics