keycloak: User ID ignored during user creation using the REST API

Describe the bug

When creating a new user using the admin API, the specified user ID parameter is ignored and a random ID is generated instead

{
  "id": "d8d8ea22-227c-4be2-afc5-0989688aa3bf",
  "username": "test",
  "email": "test@email.com",
  "enabled": "true",
  "totp": false,
  "emailVerified": "true",
  "disableableCredentialTypes": [],
  "requiredActions": [],
  "notBefore": 0,
  "access": {
  
  },
  "groups":["Test_Group"],
  "credentials":[
  {
      "type":"password",
      "value":"test",
      "temporary":"true"
  }
  ],
  "attributes":{
  "test_attribute":"test_value"
  },
  "realmRoles": [ "mb-user" ]
}

Version

18.0.0

Expected behavior

The new user’s ID should match the POST request’s ID parameter

Actual behavior

A random user ID is generated

How to Reproduce?

Create a new user while specifying the id in the POST request’s data

Anything else?

No response

About this issue

  • Original URL
  • State: open
  • Created 2 years ago
  • Reactions: 11
  • Comments: 18 (6 by maintainers)

Most upvoted comments

if you check the https://www.keycloak.org/docs-api/15.0/rest-api/index.html#_userrepresentation page there is ‘id’ parameter. If you don’t support id while creating user this information causing confusion.

+6
canerkoroglu on Dec 21, 2022

Note, when fixing this issue I think it is important this done as a generic solution for all things that are indexed with an id, not just the users.

+2
jonkoops on Nov 15, 2023

Just wanted to say that I have arrived here after losing plenty of hours due to inconsistent API documentation that implied that the id can be set so I think that the documentation should clarify which fields can be set and which can not. Another alternative can be for the POST /admin/realms/{realm}/users endpoint (or any endpoint in users resource that needs it) to return some kind of error indicating that you can not set the id (or any other field that is in UserRepresentation but it’s not writeable).

Integrating Keycloak with a custom system which tracks keycloak users as well (for db integrity reasons or for keeping extra columns that the system needs) I think is a pretty common use case. That means that if the user is created from the custom system’s side, and UUIDs are used on both sides, then the id should be available for writing on the keycloak side via the API. This is especially useful if you are using SQL transactions and you want to first write to the db, then write to Keycloak via REST API and rollback if the API call fails. I feel that I am not the only one doing this. StackOverflow is filled with posts that indicate that other people are syncing their custom systems with Keycloak in this way.

Just my two cents, thank you for your time.

+2
alolis on Nov 14, 2023

@stianst How come this being classified as an enhancement if in the API docs it has an id field on the request payload? It should either be supported or have the docs updated.

https://www.keycloak.org/docs-api/21.0.1/rest-api/index.html#_userrepresentation

image
+2
LeonardoBerlatto on Sep 12, 2023

Is there a workaround for this in the meantime

Only to insert it directly into the database via SQL instead of using the API

+2
radonthetyrant on Jul 27, 2023

This is useful when I want to synchronize the UUID of for example in Backend DB and the UUID in Keycloak to have the same.

+2
MichaelKoch11 on Dec 21, 2022

I am re-opening this issue as it is highly upvoted and the issue it was closed in favour of (#14134) is only applicable for importing, not the REST API.

+1
jonkoops on Nov 15, 2023
Read more comments on GitHub
← keycloak: Unable setup keycloak in windows from source code.
keycloakify: Account theme not available in Keycloak →