Keycloak Producer Operations
The Keycloak producer supports administrative operations on Keycloak instances via the Admin API.
For an overview of the Keycloak component, see Keycloak Component.
Configuration
The Keycloak component supports four authentication methods:
-
Access Token (Bearer Token) - Use a pre-obtained access token
-
Refresh Token - Maintain long-running sessions with automatic token refresh
-
Username/Password - Resource Owner Password Credentials flow
-
Client Credentials - Service-to-service authentication
Access Token Authentication
Use this when you have a pre-obtained access token from an external authentication system:
-
Java
// Configure Keycloak component with access token
KeycloakComponent keycloak = context.getComponent("keycloak", KeycloakComponent.class);
KeycloakConfiguration config = new KeycloakConfiguration();
config.setServerUrl("http://localhost:8080");
config.setRealm("master");
config.setAccessToken("eyJhbGciOiJSUzI1NiIsInR5cC...");
keycloak.setConfiguration(config);Refresh Token Authentication
Use this for long-running sessions that need to maintain authentication without storing credentials. The refresh token will be used to automatically obtain new access tokens when needed:
-
Java
// Configure Keycloak component with refresh token
KeycloakComponent keycloak = context.getComponent("keycloak", KeycloakComponent.class);
KeycloakConfiguration config = new KeycloakConfiguration();
config.setServerUrl("http://localhost:8080");
config.setRealm("master");
config.setClientId("my-client");
config.setRefreshToken("eyJhbGciOiJIUzI1NiIsInR5cCIgOi...");
// Optional: set client secret for confidential clients
config.setClientSecret("my-client-secret");
keycloak.setConfiguration(config); Refresh token authentication requires a clientId. The clientSecret is optional and should be provided only if your client is configured as confidential in Keycloak. |
Username/Password Authentication
Use this for admin user authentication:
-
Java
// Configure Keycloak component
KeycloakComponent keycloak = context.getComponent("keycloak", KeycloakComponent.class);
KeycloakConfiguration config = new KeycloakConfiguration();
config.setServerUrl("http://localhost:8080");
config.setRealm("master");
config.setUsername("admin");
config.setPassword("admin");
keycloak.setConfiguration(config);Client Credentials Authentication
Use this for service-to-service authentication:
-
Java
// Configure Keycloak component with client credentials
KeycloakComponent keycloak = context.getComponent("keycloak", KeycloakComponent.class);
KeycloakConfiguration config = new KeycloakConfiguration();
config.setServerUrl("http://localhost:8080");
config.setRealm("master");
config.setClientId("my-service-client");
config.setClientSecret("my-client-secret");
keycloak.setConfiguration(config);Supported Operations
The component supports the following operations:
-
Realm Management:
createRealm,getRealm,updateRealm,deleteRealm -
User Management:
createUser,getUser,updateUser,listUsers,searchUsers,deleteUser -
User Attributes:
getUserAttributes,setUserAttribute,deleteUserAttribute -
User Credentials:
getUserCredentials,deleteUserCredential -
User Actions:
sendVerifyEmail,sendPasswordResetEmail,addRequiredAction,removeRequiredAction,executeActionsEmail -
Role Management:
createRole,getRole,updateRole,listRoles,deleteRole,assignRoleToUser,removeRoleFromUser,getUserRoles -
Group Management:
createGroup,getGroup,updateGroup,listGroups,deleteGroup,addUserToGroup,removeUserFromGroup,listUserGroups -
Client Management:
createClient,getClient,updateClient,listClients,deleteClient -
Client Secret Management:
getClientSecret,regenerateClientSecret -
Client Role Management:
createClientRole,getClientRole,updateClientRole,listClientRoles,deleteClientRole,assignClientRoleToUser,removeClientRoleFromUser -
Password Management:
resetUserPassword -
Session Management:
listUserSessions,logoutUser,logoutAllUsers -
Token Management:
revokeAccessToken,revokeRefreshToken,introspectToken,pushNotBefore -
Client Scope Management:
createClientScope,getClientScope,updateClientScope,listClientScopes,deleteClientScope -
Identity Provider Management:
createIdentityProvider,getIdentityProvider,updateIdentityProvider,listIdentityProviders,deleteIdentityProvider -
Authorization Services:
createResource,getResource,updateResource,listResources,deleteResource,createResourcePolicy,getResourcePolicy,updateResourcePolicy,listResourcePolicies,deleteResourcePolicy,createResourcePermission,getResourcePermission,updateResourcePermission,listResourcePermissions,deleteResourcePermission,evaluatePermission -
Organization Management (Keycloak 26+):
createOrganization,getOrganization,updateOrganization,listOrganizations,searchOrganizations,deleteOrganization,addOrganizationMember,removeOrganizationMember,listOrganizationMembers,linkOrganizationIdentityProvider,unlinkOrganizationIdentityProvider,listOrganizationIdentityProviders
Usage Pattern
All producer operations follow the same pattern: set the operation name in the URI and pass parameters via message headers.
template.sendBodyAndHeaders("keycloak:admin?operation=<operationName>", null, headers);User Operations
-
Java
// Create a new user
Map<String, Object> headers = new HashMap<>();
headers.put("CamelKeycloakRealmName", "my-realm");
headers.put("CamelKeycloakUsername", "john.doe");
headers.put("CamelKeycloakUserEmail", "john.doe@example.com");
headers.put("CamelKeycloakUserFirstName", "John");
headers.put("CamelKeycloakUserLastName", "Doe");
template.sendBodyAndHeaders("keycloak:admin?operation=createUser", null, headers);
// Set user password
Map<String, Object> passwordHeaders = new HashMap<>();
passwordHeaders.put("CamelKeycloakRealmName", "my-realm");
passwordHeaders.put("CamelKeycloakUsername", "john.doe");
passwordHeaders.put("CamelKeycloakUserPassword", "secure-password");
passwordHeaders.put("CamelKeycloakUserPasswordTemporary", false);
template.sendBodyAndHeaders("keycloak:admin?operation=setUserPassword", null, passwordHeaders);
// List all users in realm
template.sendBodyAndHeader("keycloak:admin?operation=listUsers", null,
"CamelKeycloakRealmName", "my-realm");
// Delete a user
Map<String, Object> deleteHeaders = new HashMap<>();
deleteHeaders.put("CamelKeycloakRealmName", "my-realm");
deleteHeaders.put("CamelKeycloakUsername", "john.doe");
template.sendBodyAndHeaders("keycloak:admin?operation=deleteUser", null, deleteHeaders);Role Operations
-
Java
-
YAML
// Create a new role
Map<String, Object> roleHeaders = new HashMap<>();
roleHeaders.put("CamelKeycloakRealmName", "my-realm");
roleHeaders.put("CamelKeycloakRoleName", "manager");
roleHeaders.put("CamelKeycloakRoleDescription", "Manager role with elevated privileges");
template.sendBodyAndHeaders("keycloak:admin?operation=createRole", null, roleHeaders);
// Get role information
Map<String, Object> getRoleHeaders = new HashMap<>();
getRoleHeaders.put("CamelKeycloakRealmName", "my-realm");
getRoleHeaders.put("CamelKeycloakRoleName", "manager");
template.sendBodyAndHeaders("keycloak:admin?operation=getRole", null, getRoleHeaders);
// Assign role to user
Map<String, Object> assignHeaders = new HashMap<>();
assignHeaders.put("CamelKeycloakRealmName", "my-realm");
assignHeaders.put("CamelKeycloakUsername", "john.doe");
assignHeaders.put("CamelKeycloakRoleName", "manager");
template.sendBodyAndHeaders("keycloak:admin?operation=assignRoleToUser", null, assignHeaders);
// Delete a role
Map<String, Object> deleteRoleHeaders = new HashMap<>();
deleteRoleHeaders.put("CamelKeycloakRealmName", "my-realm");
deleteRoleHeaders.put("CamelKeycloakRoleName", "old-role");
template.sendBodyAndHeaders("keycloak:admin?operation=deleteRole", null, deleteRoleHeaders);# Create role route
- route:
from:
uri: direct:create-role
steps:
- setHeader:
name: CamelKeycloakRealmName
constant: "my-realm"
- setHeader:
name: CamelKeycloakRoleName
expression:
simple:
expression: "${body[roleName]}"
- setHeader:
name: CamelKeycloakRoleDescription
expression:
simple:
expression: "${body[description]}"
- to:
uri: keycloak:admin
parameters:
operation: createRole
- log:
message: "Created role: ${header.CamelKeycloakRoleName}"
# Assign role to user route
- route:
from:
uri: direct:assign-role
steps:
- setHeader:
name: CamelKeycloakRealmName
constant: "my-realm"
- setHeader:
name: CamelKeycloakUsername
expression:
simple:
expression: "${body[username]}"
- setHeader:
name: CamelKeycloakRoleName
expression:
simple:
expression: "${body[roleName]}"
- to:
uri: keycloak:admin
parameters:
operation: assignRoleToUser
- log:
message: "Assigned role ${header.CamelKeycloakRoleName} to user ${header.CamelKeycloakUsername}"Operations Reference
All operations below follow the same usage pattern shown above. Set the operation name in the endpoint URI and pass the required headers.
Realm Operations
| Operation | Required Headers | Description |
|---|---|---|
|
| Create a new realm |
|
| Get realm information |
|
| Update realm settings |
|
| Delete a realm |
Client Operations
| Operation | Required Headers | Description |
|---|---|---|
|
| Create a new client. Optional: |
|
| Get client information |
|
| Update client settings |
|
| List all clients in a realm |
|
| Delete a client |
Group Operations
| Operation | Required Headers | Description |
|---|---|---|
|
| Create a new group |
|
| Get group information |
|
| Update group settings |
|
| List all groups in a realm |
|
| Delete a group |
|
| Add user to a group |
|
| Remove user from a group |
|
| List groups a user belongs to |
Password Management Operations
| Operation | Required Headers | Description |
|---|---|---|
|
| Reset user password. Optional: |
User Search Operations
| Operation | Required Headers | Description |
|---|---|---|
|
| Search users by query. Optional: |
|
| Get roles assigned to a user |
Client Role Operations
| Operation | Required Headers | Description |
|---|---|---|
|
| Create a client role. Optional: |
|
| Get client role information |
|
| Update a client role |
|
| List all client roles |
|
| Delete a client role |
|
| Assign client role to user |
|
| Remove client role from user |
Session Management Operations
| Operation | Required Headers | Description |
|---|---|---|
|
| List active sessions for a user |
|
| Invalidate all sessions for a user |
|
| Invalidate all sessions in a realm |
Token Management Operations
| Operation | Required Headers | Description |
|---|---|---|
|
| Revoke an access token |
|
| Revoke a refresh token |
|
| Introspect a token for real-time validation |
|
| Invalidate all tokens issued before now |
Client Scope Operations
| Operation | Required Headers | Description |
|---|---|---|
|
| Create a client scope |
|
| Get client scope details |
|
| Update a client scope |
|
| List all client scopes |
|
| Delete a client scope |
Identity Provider Operations
| Operation | Required Headers | Description |
|---|---|---|
|
| Create an OIDC/SAML identity provider |
|
| Get identity provider details |
|
| Update identity provider settings |
|
| List all identity providers |
|
| Delete an identity provider |
Organization Operations (Keycloak 26+)
| Operation | Required Headers | Description |
|---|---|---|
|
| Create organization. Optional: |
|
| Get organization details |
|
| Update organization |
|
| List all organizations |
|
| Search by name/alias/domain |
|
| Delete an organization |
|
| Add user to organization |
|
| Remove member |
|
| List members |
|
| Link identity provider |
|
| Unlink identity provider |
|
| List linked identity providers |
User Attribute Operations
| Operation | Required Headers | Description |
|---|---|---|
|
| Set a custom attribute on a user |
|
| Get all custom attributes for a user |
|
| Delete a custom attribute |
User Credential and Action Operations
| Operation | Required Headers | Description |
|---|---|---|
|
| Get user credentials list |
|
| Delete a specific credential |
|
| Send email verification |
|
| Send password reset email |
|
| Add required action (e.g., |
|
| Remove a required action |
|
| Execute multiple actions via email. Optional: |
Client Secret Management
| Operation | Required Headers | Description |
|---|---|---|
|
| Retrieve the client secret |
|
| Rotate the client secret |
Authorization Services Operations
| These operations require a client with authorization services enabled in Keycloak. |
| Operation | Required Headers | Description |
|---|---|---|
|
| Create an authorization resource |
|
| Get resource details |
|
| Update a resource |
|
| List all resources |
|
| Delete a resource |
|
| Create authorization policy |
|
| Get policy details |
|
| Update a policy |
|
| List all policies |
|
| Delete a policy |
|
| Create resource permission |
|
| Get permission details |
|
| Update a permission |
|
| List all permissions |
|
| Delete a permission |
Permission Evaluation
The evaluatePermission operation allows you to evaluate authorization permissions for a user or service account using Keycloak’s Authorization Services. This operation uses the Keycloak Authorization Client (AuthzClient) to request permissions and obtain a Requesting Party Token (RPT) with granted permissions.
| This operation requires Authorization Services to be enabled on the client in Keycloak. |
Configuration Requirements
-
serverUrl- Keycloak server URL -
realm- Keycloak realm name -
clientId- Client ID with authorization services enabled -
clientSecret- Client secret (required for AuthzClient)
Modes of Operation
The operation supports two modes:
-
RPT Mode (default): Returns a Requesting Party Token (RPT) containing the granted permissions
-
Permissions-Only Mode: Returns only the list of permissions without obtaining an RPT token
Usage Examples
-
Java
-
YAML
// Evaluate all permissions for a user
Map<String, Object> headers = new HashMap<>();
headers.put("CamelKeycloakAccessToken", userAccessToken);
headers.put("CamelKeycloakPermissionsOnly", true);
Map<String, Object> result = template.requestBodyAndHeaders(
"keycloak:authz?serverUrl=http://localhost:8080&realm=myrealm"
+ "&clientId=myapp&clientSecret=secret&operation=evaluatePermission",
null, headers, Map.class);
List<Permission> permissions = (List<Permission>) result.get("permissions");
boolean hasAccess = (Boolean) result.get("granted");
// Check specific resource permissions
Map<String, Object> resourceHeaders = new HashMap<>();
resourceHeaders.put("CamelKeycloakAccessToken", userAccessToken);
resourceHeaders.put("CamelKeycloakPermissionResourceNames", "document1,document2");
resourceHeaders.put("CamelKeycloakPermissionScopes", "read,write");
resourceHeaders.put("CamelKeycloakPermissionsOnly", true);
Map<String, Object> resourceResult = template.requestBodyAndHeaders(
"keycloak:authz?serverUrl=http://localhost:8080&realm=myrealm"
+ "&clientId=myapp&clientSecret=secret&operation=evaluatePermission",
null, resourceHeaders, Map.class);# Evaluate permissions for a user
- route:
id: evaluate-user-permissions
from:
uri: direct:check-permissions
steps:
- setHeader:
name: CamelKeycloakAccessToken
expression:
simple:
expression: "${header.Authorization.substring(7)}"
- setHeader:
name: CamelKeycloakPermissionsOnly
constant: true
- to:
uri: >
keycloak:authz?
serverUrl={{keycloak.server-url}}&
realm={{keycloak.realm}}&
clientId={{keycloak.client-id}}&
clientSecret={{keycloak.client-secret}}&
operation=evaluatePermission
- log:
message: "User has ${body[permissionCount]} permissions, access granted: ${body[granted]}"Error Handling
The operation throws exceptions in the following cases:
-
IllegalArgumentException- When required configuration is missing (serverUrl, realm, clientId, clientSecret) -
AuthorizationDeniedException- When the user doesn’t have permission to access the requested resources
Keycloak Setup for Authorization Services
To use the evaluatePermission operation, you must configure Authorization Services in Keycloak:
-
Enable Authorization on the client: Go to Clients → Your client → Settings → Enable Authorization:
ON -
Create Resources: Go to Authorization → Resources → Create resources representing protected entities
-
Create Scopes (optional): Go to Authorization → Scopes → Create scopes like "read", "write", "delete"
-
Create Policies: Go to Authorization → Policies → Create policies (role-based, user-based, time-based, etc.)
-
Create Permissions: Go to Authorization → Permissions → Link resources, scopes, and policies together
Bulk Operations
Bulk operations allow you to perform multiple operations in a single request, improving efficiency and reducing network overhead.
Bulk Create Users
-
Java
-
YAML
// Create multiple users at once
List<UserRepresentation> users = new ArrayList<>();
for (int i = 1; i <= 100; i++) {
UserRepresentation user = new UserRepresentation();
user.setUsername("user" + i);
user.setEmail("user" + i + "@company.com");
user.setFirstName("User");
user.setLastName("" + i);
user.setEnabled(true);
users.add(user);
}
Map<String, Object> headers = new HashMap<>();
headers.put("CamelKeycloakRealmName", "my-realm");
headers.put("CamelKeycloakContinueOnError", true); // Continue even if some users fail
Map<String, Object> result = template.requestBodyAndHeaders(
"keycloak:admin?operation=bulkCreateUsers", users, headers, Map.class);
// Result contains summary and details
System.out.println("Total: " + result.get("total"));
System.out.println("Success: " + result.get("success"));
System.out.println("Failed: " + result.get("failed"));# Bulk create users route
- route:
from:
uri: direct:bulk-create-users
steps:
- setHeader:
name: CamelKeycloakRealmName
constant: "my-realm"
- setHeader:
name: CamelKeycloakContinueOnError
constant: true
- to:
uri: keycloak:admin
parameters:
operation: bulkCreateUsers
- log:
message: "Created ${body[success]} out of ${body[total]} users"Other Bulk Operations
| Operation | Required Headers | Description |
|---|---|---|
|
| Create multiple users. Optional: |
|
| Delete multiple users |
|
| Update multiple users |
|
| Assign multiple roles to one user |
|
| Assign one role to multiple users |
Bulk Operations Response Format
All bulk operations return a consistent response format:
{
"total": 10,
"success": 8,
"failed": 2,
"results": [
{
"username": "user1",
"status": "success",
"statusCode": 201
},
{
"username": "user2",
"status": "failed",
"error": "User already exists"
}
]
}Best Practices for Bulk Operations
-
Use Continue on Error: Always set
continueOnError=truefor bulk operations to get complete feedback on all items -
Monitor Results: Check the results map to identify and handle failures appropriately
-
Batch Size: For very large datasets, consider splitting into smaller batches (e.g., 100-500 users per batch)
-
Transactions: Note that Keycloak operations are not transactional - some items may succeed while others fail
Complete Producer Example
-
Java
-
YAML
// Configure Keycloak component
KeycloakComponent keycloak = getContext().getComponent("keycloak", KeycloakComponent.class);
KeycloakConfiguration config = new KeycloakConfiguration();
config.setServerUrl("http://localhost:8080");
config.setRealm("master");
config.setUsername("admin");
config.setPassword("admin");
keycloak.setConfiguration(config);
// Comprehensive user management route
from("direct:setup-user-environment")
.routeId("setup-user-environment")
.log("Setting up user environment...")
// Step 1: Create realm
.setHeader("CamelKeycloakRealmName", constant("my-company"))
.to("keycloak:admin?operation=createRealm")
// Step 2: Create roles
.setHeader("CamelKeycloakRoleName", constant("admin"))
.setHeader("CamelKeycloakRoleDescription", constant("Administrator role"))
.to("keycloak:admin?operation=createRole")
// Step 3: Create client
.setHeader("CamelKeycloakClientId", constant("my-app"))
.setHeader("CamelKeycloakClientSecretRequired", constant(true))
.to("keycloak:admin?operation=createClient")
// Step 4: Create user
.setHeader("CamelKeycloakUsername", constant("admin.user"))
.setHeader("CamelKeycloakUserEmail", constant("admin@company.com"))
.to("keycloak:admin?operation=createUser")
// Step 5: Set password and assign role
.setHeader("CamelKeycloakUserPassword", constant("admin123"))
.to("keycloak:admin?operation=setUserPassword")
.setHeader("CamelKeycloakRoleName", constant("admin"))
.to("keycloak:admin?operation=assignRoleToUser")
.transform().constant("User environment setup completed successfully");# Complete Keycloak producer configuration
- route:
id: setup-user-environment
from:
uri: direct:setup-user-environment
steps:
- log:
message: "Setting up user environment..."
- setHeader:
name: CamelKeycloakRealmName
constant: "my-company"
- to:
uri: keycloak:admin
parameters:
operation: createRealm
- setHeader:
name: CamelKeycloakRoleName
constant: "admin"
- to:
uri: keycloak:admin
parameters:
operation: createRole
- setHeader:
name: CamelKeycloakClientId
constant: "my-app"
- to:
uri: keycloak:admin
parameters:
operation: createClient
- setHeader:
name: CamelKeycloakUsername
constant: "admin.user"
- setHeader:
name: CamelKeycloakUserEmail
constant: "admin@company.com"
- to:
uri: keycloak:admin
parameters:
operation: createUser
- setHeader:
name: CamelKeycloakUserPassword
constant: "admin123"
- to:
uri: keycloak:admin
parameters:
operation: setUserPassword
- setHeader:
name: CamelKeycloakRoleName
constant: "admin"
- to:
uri: keycloak:admin
parameters:
operation: assignRoleToUser
- transform:
constant: "User environment setup completed successfully"
# Component configuration
camel:
component:
keycloak:
server-url: "http://localhost:8080"
realm: "master"
username: "admin"
password: "admin"