[keycloak-user] Best practices for multi-realm user management with Keycloak-Admin-Client

Thomas Darimont thomas.darimont at googlemail.com
Fri Feb 24 04:16:49 EST 2017 

Hello Group,

What's the current best practice to manage users in multiple realms via
the keycloak-admin-client?

A simple variant is to create a dedicated confidential client
"internal-realm-admin" in
the master realm with only "direct access grants: on"  and "service
accounts enabled: on"
and  "standards flow enabled: off".

Given that the Keycloak contains two other realms "tenant1" and "tenant2"
besides master
we want to enable the service account for "internal-realm-admin" to manage
users (CRUD)
for those realms only.

Now this service client gets the following service-account client roles:
* "tenant1-realm": "manage-users" and "view-clients" (to list the
applications)
* "tenant2-realm": "manage-users" and "view-clients" (to list the
applications)

Now one can use this single client in a centralized service to manage both
realms
with a keycloak-admin-client constructed like this:

KeycloakBuilder.builder() //
.realm("master")
.serverUrl("http://192.168.99.1:8080/auth")
.clientId("internal-realm-manager")
.clientSecret("SECRET")
.grantType(OAuth2Constants.CLIENT_CREDENTIALS)
.build();

To manage users in tenant1 one can now do something like that:
keycloak.realm("tenant1").users().create(userRepresentation)

and for tenant2 ...
keycloak.realm("tenant2").users().create(userRepresentation)

Some Advantages:
+ one can globally manage users via a single centralized client
+ you can quickly generate a new secret for this single service
+ you don't need a dedicated user to manage other users

Some Disadvantages
- in certain environments this can be seen as a too privileged user / client
- user management operations are performed with the client service account
and not a "real" user

I think with this approach one is quite flexible and still has the
possibility to create
a dedicated (tenant) realm admin user / client and exclude it from the
"internal-realm-admin"
for tenants who needs explicity control over their user management.

Thoughts?

Cheers,
Thomas

More information about the keycloak-user mailing list