Allowing a user to update their own profile using the REST API

Question

I have been experimenting with the REST API using my logged in user account's token to then make PUT requests on my user record to update some custom attributes.

In order to get to this work I had to grant my user account the manage-users role in Keycloak, prior to this I was getting forbidden responses back.

I can now make the PUT request successfully, and after logging out and logging back in I can see the updated attributes I set in my PUT request.

But I have now allowed my user to be able to manage all users in my realm, which I dont want to allow.

Instead I only want to be able to update my own account details.

I know the user can view their own profile and make changes on the Keycloak provided screens. But for certain custom attributes I want to be able to do this from the client side application they are logged in to, so using the REST API but not granting them a role that could allow them to update other users details.

Is this possible?

Answer 1

This seems to be possible with the Account Management API.

Unfortunately, I didn't find any official documentation about that. However, there's an example in Keycloak that demonstrates how to do it.

Answer 2

According to the User section Keycloak's Admin REST API, this is not possible.

One solution would be for your client app to send the update request to a backend. The backend will verify that the update request is legit (aka the JWT is verified and the update does apply to the user requesting the change).

Another solution would be to theme the User Account Service's screens to add input fields for your custom attributes, as the documentation says that:

This screen can be extended to allow the user to manage additional attributes. See the Server Developer Guide for more details.

The second option seems the more secure. I hope that helps.