[1.1.5] Added the ability to list credentials for a given user

Author: looorent

CHANGELOG.md

@@ -5,6 +5,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.1.5] - 2026-01-05
+
+* [Feature] Added the ability to list credentials for a given user.
+* [Fix] Implemented safe parsing for nested JSON elements within `CredentialRepresentation` (handling both `credentialData` and `secretData` fields). Please refer to [the official documentation](https://www.keycloak.org/docs-api/latest/rest-api/index.html#CredentialRepresentation).
+* [Breaking] Renamed `CredentialRepresentation` attribute `created_date` $\rightarrow$ `createdDate` to align with the Keycloak Admin API.
+
 ## [1.1.4] - 2025-11-08
 
 * Add remove_realm_level_role_name! action on a GroupClient (thanks to @mkrawc)

Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    keycloak-admin (1.1.4)
+    keycloak-admin (1.1.5)
       http-cookie (~> 1.0, >= 1.0.3)
       rest-client (~> 2.0)
 

README.md

@@ -12,7 +12,7 @@ This gem *does not* require Rails.
 For example, using `bundle`, add this line to your Gemfile.
 
 ```ruby
-gem "keycloak-admin", "1.1.4"
+gem "keycloak-admin", "1.1.5"
 ```
 
 ## Login
@@ -112,6 +112,7 @@ All options have a default value. However, all of them can be changed in your in
 * Get an access token
 * Create/update/get/delete a user
 * Get list of users, search for user(s)
+* List credentials of a user
 * Reset credentials
 * Impersonate a user
 * Exchange a configurable token
@@ -226,6 +227,13 @@ new_password = "coco"
 KeycloakAdmin.realm("a_realm").users.update_password(user_id, new_password)
 ```
 
+### List credentials
+
+```ruby
+user_id      = "95985b21-d884-4bbd-b852-cb8cd365afc2"
+KeycloakAdmin.realm("a_realm").users.credentials(user_id)
+```
+
 ### Impersonate a password directly
 
 Returns an instance of `KeycloakAdmin::ImpersonationRepresentation`.

lib/keycloak-admin/client/user_client.rb

@@ -123,6 +123,13 @@ def update_password(user_id, new_password)
       user_id
     end
 
+    def credentials(user_id)
+      response = execute_http do
+        RestClient::Resource.new(credentials_url(user_id), @configuration.rest_client_options).get(headers)
+      end
+      JSON.parse(response).map { |group_as_hash| CredentialRepresentation.from_hash(group_as_hash) }
+    end
+
     def forgot_password(user_id, lifespan=nil)
       execute_actions_email(user_id, ["UPDATE_PASSWORD"], lifespan)
     end
@@ -232,6 +239,11 @@ def groups_url(user_id)
       "#{users_url(user_id)}/groups"
     end
 
+    def credentials_url(user_id)
+      raise ArgumentError.new("user_id must be defined") if user_id.nil?
+      "#{users_url(user_id)}/credentials"
+    end
+
     def impersonation_url(user_id)
       raise ArgumentError.new("user_id must be defined") if user_id.nil?
       "#{users_url(user_id)}/impersonation"

lib/keycloak-admin/representation/credential_representation.rb

@@ -1,6 +1,8 @@
 module KeycloakAdmin
   class CredentialRepresentation < Representation
-    attr_accessor :type,
+    attr_accessor :id,
+      :type,
+      :userLabel,
       :device,
       :value,
       :hashedSaltedValue,
@@ -10,7 +12,9 @@ class CredentialRepresentation < Representation
       :algorithm,
       :digits,
       :period,
-      :created_date,
+      :createdDate,
+      :credentialData,
+      :secretData,
       :config,
       :temporary
 
@@ -30,10 +34,39 @@ def self.from_json(json)
     def self.from_hash(hash)
       credential = new
       hash.each do |key, value|
-        property = "@#{key}".to_sym
-        credential.instance_variable_set(property, value)
+        if credential.respond_to?("#{key}=")
+          credential.public_send("#{key}=", value)
+        end
       end
+
+      nested_attributes = safely_parse_nested_json(hash["credentialData"]).merge(safely_parse_nested_json(hash["secretData"]))
+
+      nested_attributes.each do |key, value|
+        if credential.respond_to?("#{key}=")
+          current_value = credential.public_send(key)
+          if current_value.nil?
+            credential.public_send("#{key}=", value)
+          end
+        end
+      end
+
       credential
     end
+
+    class << self
+      private
+
+      def safely_parse_nested_json(json_string)
+        if json_string.nil? || json_string.strip.empty?
+          {}
+        else
+          begin
+            JSON.parse(json_string)
+          rescue JSON::ParserError
+            {}
+          end
+        end
+      end
+    end
   end
 end

lib/keycloak-admin/version.rb

@@ -1,3 +1,3 @@
 module KeycloakAdmin
-  VERSION = "1.1.4"
+  VERSION = "1.1.5"
 end

spec/client/user_client_spec.rb

@@ -370,4 +370,49 @@
       end
     end
   end
+
+  describe '#credentials' do
+    let(:realm_name) { "valid-realm" }
+
+    before(:each) do
+      @user_client = KeycloakAdmin.realm(realm_name).users
+      stub_token_client
+      json_payload = <<-'payload'
+        [
+          {
+            "id": "2ff4b4d0-fd72-4c6e-9684-02ab337687c2",
+            "type": "password",
+            "userLabel": "My password",
+            "createdDate": 1767604673211,
+            "credentialData": "{\"hashIterations\":5,\"algorithm\":\"argon2\",\"additionalParameters\":{\"hashLength\":[\"32\"],\"memory\":[\"7168\"],\"type\":[\"id\"],\"version\":[\"1.3\"],\"parallelism\":[\"1\"]}}"
+          },
+          {
+            "id": "34389672-9356-4154-9ed6-6c212b869010",
+            "type": "otp",
+            "userLabel": "Smartphone",
+            "createdDate": 1767605202060,
+            "credentialData": "{\"subType\":\"totp\",\"digits\":6,\"counter\":0,\"period\":30,\"algorithm\":\"HmacSHA1\"}"
+          }
+        ]
+      payload
+      allow_any_instance_of(RestClient::Resource).to receive(:get).and_return json_payload
+    end
+
+    context 'when user_id is defined' do
+      let(:user_id) { '95985b21-d884-4bbd-b852-cb8cd365afc2' }
+      it 'returns list of credentials' do
+        response = @user_client.credentials(user_id)
+        expect(response.size).to eq 2
+        expect(response[0].id).to eq "2ff4b4d0-fd72-4c6e-9684-02ab337687c2"
+        expect(response[1].id).to eq "34389672-9356-4154-9ed6-6c212b869010"
+      end
+    end
+
+    context 'when user_id is not defined' do
+      let(:user_id) { nil }
+      it 'raise argument error' do
+        expect { @user_client.credentials(user_id) }.to raise_error(ArgumentError)
+      end
+    end
+  end
 end

spec/representation/credential_representation_spec.rb

@@ -0,0 +1,68 @@
+
+RSpec.describe KeycloakAdmin::CredentialRepresentation do
+  describe ".from_json" do
+    it "parses a password" do
+      json_payload = <<-'payload'
+        {
+          "id": "2ff4b4d0-fd72-4c6e-9684-02ab337687c2",
+          "type": "password",
+          "userLabel": "My password",
+          "createdDate": 1767604673211,
+          "credentialData": "{\"hashIterations\":5,\"algorithm\":\"argon2\",\"additionalParameters\":{\"hashLength\":[\"32\"],\"memory\":[\"7168\"],\"type\":[\"id\"],\"version\":[\"1.3\"],\"parallelism\":[\"1\"]}}"
+        }
+      payload
+
+      credential = described_class.from_json(json_payload)
+      expect(credential).to be
+      expect(credential).to be_a described_class
+      expect(credential.id).to eq "2ff4b4d0-fd72-4c6e-9684-02ab337687c2"
+      expect(credential.type).to eq "password"
+      expect(credential.createdDate).to eq 1767604673211
+      expect(credential.credentialData).to eq "{\"hashIterations\":5,\"algorithm\":\"argon2\",\"additionalParameters\":{\"hashLength\":[\"32\"],\"memory\":[\"7168\"],\"type\":[\"id\"],\"version\":[\"1.3\"],\"parallelism\":[\"1\"]}}"
+      expect(credential.userLabel).to eq "My password"
+      expect(credential.device).to be_nil
+      expect(credential.value).to be_nil
+      expect(credential.hashedSaltedValue).to be_nil
+      expect(credential.salt).to be_nil
+      expect(credential.hashIterations).to eq 5
+      expect(credential.counter).to be_nil
+      expect(credential.algorithm).to eq "argon2"
+      expect(credential.digits).to be_nil
+      expect(credential.period).to be_nil
+      expect(credential.config).to be_nil
+      expect(credential.temporary).to be_nil
+    end
+
+    it "parses an otp" do
+      json_payload = <<-'payload'
+        {
+          "id": "34389672-9356-4154-9ed6-6c212b869010",
+          "type": "otp",
+          "userLabel": "Smartphone",
+          "createdDate": 1767605202060,
+          "credentialData": "{\"subType\":\"totp\",\"digits\":6,\"counter\":0,\"period\":30,\"algorithm\":\"HmacSHA1\"}"
+        }
+      payload
+
+      credential = described_class.from_json(json_payload)
+      expect(credential).to be
+      expect(credential).to be_a described_class
+      expect(credential.id).to eq "34389672-9356-4154-9ed6-6c212b869010"
+      expect(credential.type).to eq "otp"
+      expect(credential.createdDate).to eq 1767605202060
+      expect(credential.credentialData).to eq "{\"subType\":\"totp\",\"digits\":6,\"counter\":0,\"period\":30,\"algorithm\":\"HmacSHA1\"}"
+      expect(credential.userLabel).to eq "Smartphone"
+      expect(credential.device).to be_nil
+      expect(credential.value).to be_nil
+      expect(credential.hashedSaltedValue).to be_nil
+      expect(credential.salt).to be_nil
+      expect(credential.hashIterations).to be_nil
+      expect(credential.counter).to eq 0
+      expect(credential.algorithm).to eq "HmacSHA1"
+      expect(credential.digits).to eq 6
+      expect(credential.period).to eq 30
+      expect(credential.config).to be_nil
+      expect(credential.temporary).to be_nil
+    end
+  end
+end