[keycloak-user] Create client in master realm with API

[Bill Burke]

https://issues.jboss.org/browse/KEYCLOAK-2522

On 2/22/2016 9:02 AM, Christian Bauer wrote:
> Hi
>
> I'm trying to implement a multi-tenant system that should use Keycloak, from its Docker image. I'd like to use the Keycloak admin API from another container. My first goal is to create a new client in the master realm for my tenant administration app, then create realms for each tenant, etc.
>
> To do this I'm using the admin-cli client in the master realm with public direct grant authentication, and I can get an authentication token with superuser roles for the admin user.
>
> Next I tried to POST /auth/realms/master/clients/default with a client representation and the admin-cli bearer token. This is forbidden, because though I have superuser roles, I don't have the Constants.REALM_MANAGEMENT_CLIENT_ID resource roles required in ClientRegistrationAuth:177.
>
> I'm not sure I'm doing this right. The console web UI probably has the same roles if I'm logged in as admin and it's able to create users.
>
> I guess I could step further through the code to find the difference. Other options I've considered:
>
> - Don't create a new client in the master realm and continue using the admin-cli client for superuser tasks.
>
> - Adjust the Docker image bootstrap so it exports the initial database, then manipulate the exported files with some JSON transformer, then import again.
>
> - Hacking the themes/Angular frontend of the security-admin-console and use this to implement my tenant/user administration app.
>
> Thoughts?

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com