[keycloak-user] clientSecret passing upon Client creation

Tue Jun 20 11:07:20 EDT 2017

Hi!

Thanks for response.

Re what I'd like to achieve: I'd like to give some people pair
Client/ClientSecret so they could use my Keycloak instance. Since this
instance gets recreated using config management utility very often (e.g. 5
times a day), I need a functionality to be able to specify ClientSecret
when "provisioning" Keycloak instance.

So for my needs - export-import is not good solution - since my server is
started using standalone.sh script as PID=1 inside docker container. Also
it would be hard to execute Export in my case, since docker container
shutdown is also done by config management system - and I'd need to start
standalone.sh again with export set. BTW: when export/import is involved by
migration.action - it seems strange that main server thread is also
starting.

So I've read
https://keycloak.gitbooks.io/documentation/server_admin/topics/admin-cli.html
and
https://keycloak.gitbooks.io/documentation/securing_apps/topics/client-registration/client-registration-cli.html

In above documents there is describes process of e.g. defining new Clients.
But it does not answer my question at all.

So maybe once again my question: >>> Is specifying 'secret' parameter into
JSON creating new Client using e.g. "kcadm.sh create clients -r REALM_NAME
-f JSON_FILE.json -i" proper and supported way of passing ClientSecret
value to newly created Client? <<<

AdamLis;

2017-06-20 16:17 GMT+02:00 Marko Strukelj <mstrukel at redhat.com>:

> You can find doumentation for kcadm.sh at: https://keycloak.gitbooks.
> io/documentation/server_admin/topics/admin-cli.html
>
> Maybe for your usecase you might also want to use kcreg.sh, documentation
> for which you can find at: https://keycloak.gitbooks.
> io/documentation/securing_apps/topics/client-registration/client-
> registration-cli.html
>
> kcreg.sh is meant for use by application developers to self-provision
> clients in order to integrate their apps with a Keycloak Server.
>
> There is also a boot time import functionality which you can use to import
> the whole realm: https://keycloak.gitbooks.io/documentation/
> server_admin/topics/export-import.html
>
> As to your question whether you can base realm / client creation on
> Keycloak's export / import functionality or CLI tools the answer is - yes,
> that's the idea. If you can't achieve something basic and obvious then the
> tools have to be improved.
>
> If you can be more specific what you are trying to achieve and what
> exactly you do, then I can give you more specific advice.
>
> Also, if you can be more specific what you were not able to find in the
> documentation, we can add it or make it easier to find.
>
> On Tue, Jun 20, 2017 at 2:24 PM, Adam Lis <adam.lis at gmail.com> wrote:
>
>> Hi!
>>
>> I've tried to search for this information in documentation, but not
>> succeeded.
>>
>> Let's assume I'm using keycloak docker container.
>>
>> Inside running instance I'm willing to add new Client like this:
>>
>> /opt/jboss/keycloak/bin/kcadm.sh create clients -r REALM_NAME -f
>> FILE_CONTAINING_DEFINITION.json -i
>>
>> So I'm getting actual contents of JSON file for example by exporting
>> existing Client (since I see no example in documentation as well)
>>
>> But in the export software is not setting 'secret' value in case
>> 'clientAuthenticatorType' is set to 'client-secret'.
>>
>> I've anyway tried to add 'secret' field to JSON and it has been accepted
>> by
>> Keycloak - so Keycloak has created Client with ClientSecret value passed
>> by
>> JSON file in field named 'secret'.
>>
>> My question and concern is: does this functionality (setting desired
>> ClientSecret on Client creation from JSON) work intended way? Can I base
>> my
>> whole Realm/Client creation solution on that functionality?
>>
>> A little background: I'm willing to run Keycloak deployment with docker
>> container as part of configuration management - so I'm storing Realm and
>> Client data in outside storage and I'm willing to pass these configuration
>> pieces into newly started Keycloak inside docker container.
>>
>> Thanks;
>> AdamLis;
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>