Assign a client role to a user
keycloak_user_client_role_assignAssign a specific client-level role to a Keycloak user. Idempotent operation uses user UUID, client UUID, and role name.
Instructions
Write: grants a single client-level role (belonging to one specific client) to a user, not a realm role. This is idempotent — assigning a role the user already has succeeds without changing anything. The role must already exist on the client; list candidates with keycloak_client_roles_list and verify current assignments with keycloak_user_client_roles_get. Returns a confirmation that the client role was assigned, or a message explaining why it was not (for example, the user, client, or role was not found).
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| role | Yes | The name of an existing client role to grant (e.g. 'manage-users'), as returned by keycloak_client_roles_list. This is the role name, not its ID. | |
| userId | Yes | The Keycloak user ID (the user's UUID, e.g. 'f47ac10b-58cc-4372-a567-0e02b2c3d479'), not the username. Identifies the user who receives the client role. | |
| clientId | Yes | The Keycloak client's internal ID (the client's UUID), not the human-readable clientId/client name. Identifies the client that owns the role being granted. |