Keycloak - Add/Remove Realm role from a user using APIcalls

Question

passing userRepresentation.id to keycloakServerURL + "/auth/admin/realms/XXXX/users/"+userId+"/role-mappings/realm" I get these roles for a certain user...

[
    {
        "id": "xxxxxxx-1faf-4604-832a-fa7ab7eb4344",
        "name": "uma_authorization",
        "description": "${role_uma_authorization}",
        "composite": false,
        "clientRole": false,
        "containerId": "XXXX"
    },
    {
        "id": "xxxxxxx-ad9f-444e-adf4-be11ab7a3d98",
        "name": "member_paid",
        "description": "Membership Paid",
        "composite": false,
        "clientRole": false,
        "containerId": "XXXX"
    },
    {
        "id": "xxxxx-2d73-48a8-844d-a953cb570270",
        "name": "offline_access",
        "description": "${role_offline-access}",
        "composite": false,
        "clientRole": false,
        "containerId": "XXXX"
    }
]

I cannot figure out which API I am supposed to use to add/remove a role from/to the User.

Please can you advise what is the API I need to use

The best I can find is this one below but I don't know what the params (Path and request property should be)...

public void removeRole(JsonObject userToken, String clientId, String role) throws IOException {

    /auth/admin/realms/XXXX/groups/" + role + "/role-mappings/clients/" + clientId);

    ...
    HttpURLConnection con = (HttpURLConnection) url.openConnection();
    con.setRequestMethod("POST");

    con.setRequestProperty("id", clientId);
    con.setRequestProperty("name", role);
    ....

Answer 1

Endpoints are

Get Role Mappings:

GET /auth/admin/realms/{Realm}/users/{userid}/role-mappings/realm

Add Role Mappings:

POST /auth/admin/realms/{Realm}/users/{userid}/role-mappings/realm

Delete Role Mappings:

DELETE /auth/admin/realms/{Realm}/users/{userid}/role-mappings/realm

Example Add Role

You have a role e.g. named testrole with the id dc5572a5-b7e0-4c4b-b841-dc88108df70f (you see it in the url when you have opened the keycloak admin GUI, or you fetch it with some other RestAPI Request)

Now we have a Request of Type POST to the endpoint /auth/admin/realms/{Realm}/users/{userid}/role-mappings/realm with a body of type application/json and the following body-value

[
    {
        "id": "dc5572a5-b7e0-4c4b-b841-dc88108df70f",
        "name" : "testrole"
    }
]

After successful execution you get a response with HTTP-Code 204 => The testrole - role mapping is applied to this user

Example Curl Request

curl --request POST \
  --url http://localhost/auth/admin/realms/{Realm}/users/{userid}/role-mappings/realm \
  --header 'authorization: Bearer eyJh......h3RLw' \
  --header 'content-type: application/json' \
  --data '[
    {
        "id": "dc5572a5-b7e0-4c4b-b841-dc88108df70f",
        "name" : "testrole"
    }
]'

If you want to delete it again, just send the same request (same body) but with the HTTP-method DELETE instead of POST

Please let me now if this solved your issue