Keycloak user group details

Hi, I am trying to fetch the details of the Keycloak user groups that a user belong to. I can fetch the user details from “Extract Context Properties” node and some more details using the REST end points. I am looking for a way to get the group details from the user account id. Requirement is to restrict the data displayed in the app based on the group details. Thanks in advance.


KNIME Business Hub provides a pretty extensive REST API that allows retrieving a wide range of account and other data. You can access the API’s interactive documentation with the following URI http(s)://api.{WebAppURL}/api-doc/ (please update the URI for your environment). If you make a GET call to the /accounts/{id} endpoint of the accounts-service API part of the return will include a json array object called “jwtGroupIdentifiers”. This array will contain a list of the Keycloak groups the user is a member of.

1 Like

Thanks @kpowney , I tried that but it does not list all the groups for me. The jwtGroupIdentifiers JSON object was giving the details of the default groups for a user in the hub. Say “hubuser” and/or “admin”.

However, I am looking for the custom groups which is created in KeyCloak, and to which the user is added manually in the backend using KeyCloak admin console. Please advise.

I did some testing this afternoon and I can confirm that this array should be showing all groups the user is a member of in keycloak including custom groups. To confirm this I created a new group called ‘testGroup’ in keycloak on my test instance and added myself to it. I then queried the API for my user record and confirmed the api returned all three groups including the two default groups ‘admin’ and ‘hubuser’ as well as the custom group ‘testGroup’. Please see the screenshots below as an example:

1 Like

Thanks for helping with this request. I realised I was looking for the group that I created outside the /hub. I see all the child groups inside the “hub” are listed in your attached snippet. I had my custom group outside and that doesn’t show up in REST calls. I now created a new group inside the /hub and it doesn’t show for me either.

I suspect this might be because it takes sometime to reflect in the Hub, I would appreciate if you can let me know how long does it take to reflect in the Hub for the new user group created in Key Cloak.

I also noticed that I can see jwtGroupIdentifiers object only for the admin user account and not the consumer (say a data app consumer account with no Teams access).

I don’t feel like it took very long for it to show up appropriately as it was there the first time I successfully queried the API. However, I was troubleshooting an unrelated issue at the time as well, and it was probably a larger gap in time from the creation of the group to the successful query. If I had to guess I would say it was within an hour of creating the group give or take. Unfortunately, I can’t get more specific. If I have some time this afternoon I can try retesting creating the group and querying the API right after.

@kpowney , Thanks, I am interested to see your findings.

For me, it works fine once a mapper is defined and a successful PUT request for the new group in the Hub. It reflected in the Hub like within few minutes.

Also, I see that if I do the REST query with admin account authorization, I see only admin accounts jwtGroupIdentifiers object values. When I try to use /accounts/{id} endpoint with the user ID, I don’t see that object in response for some reason. However when I query with user’s credentials it shows up the user’s groups.

How can we fetch user’s external group details with user’s ID and admin’s credentials for REST authorization? Any help would be very useful. Thanks.

The jwtGroupIdentitifers are extracted from the user’s authentication token. Therefore you can only see your own Keycloak groups but never from other users.
KNIME Business Hub 1.10 (to be released end of May) will introduce global groups which are managed directly in the Hub. There will be no need for Keycloak groups any more. Information about membership in these global groups is visible to everyone.


Thanks @thor, that will be great to have and looking forward to the release.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.