[keycloak-user] Design concerns on automated Keycloak Client addition to a realm

[Orestis Tsakiridis]

Hello,

I'm trying to design a keycloak-based system that will have the following
characteristics:

* A single realm R will exist with a big set of users.
* Users will be able to install instances of software X that consists of
four (4) applications protected by keycloak.
* Each application in any instance of X will have a corresponding Keycloak
Client entity containing a set of application-level roles. Thus, having the
appropriate role,m a user of R can selectively be granted access to any
application of any instance of X.
* The addition of a new instance of X to the keycloak realm (the creation
of the Clients, client roles etc.) is called 'registration' and will be
done using the Keycloak Admin REST API.

What's the best practice to achieve automatic registration of a new
instance to the realm?

I've considered the following:

a. Have the instance applications *directly* consume keycloak Admin REST
API and create Clients and Client roles. As far as i investigated users of
the instance will need to have a  R:realm-management:manage-clients role in
order to do that (create-client didn't work). This seems a pretty
permissive role to give to any user in R.

b. Have a separate keycloak-protected application that won't be part of X
to do the important work of 'registration'. It will work as a proxy. The
application will act on behalf of an administrator user with a powerfull
role like R:realm-management:realm-admin. The application will define it's
own set of roles and HTTP API for instance registration. All users will
have to go through it to register their instance. It will work as a proxy.
But they won't need to be granted dangerous roles to do it.

Any suggestion will be more than welcome.

Thanks

Orestis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160304/f14b465f/attachment.html