[keycloak-user] How to create a 'provisioning only' user in Keycloak?

Thomas Darimont thomas.darimont at googlemail.com
Mon Dec 10 05:18:30 EST 2018


Hi Stian,

Thanks for the quick response but that's not exactly what I want to do.

I know how to add a keycloak user via add-user-keycloak.sh, what I don't
know is how to ensure
that this user can only be used for provisioning operations via kcadm.sh
and is NOT able to use the admin-console.

Background is:
- I want to secure the keycloak admin user with an additional OTP token.
This works fine for the admin-console but then I
  cannot use kcadm.sh anymore with that user, because of the additional
token.
- I now want to create a dedicated technical user for provisioning
operations that cannot login to the admin-console.

Cheers,
Thomas

Am Mo., 10. Dez. 2018 um 11:00 Uhr schrieb Stian Thorgersen <
sthorger at redhat.com>:

> If you want this before startup you can use the add-user-keycloak.sh
> script with "--roles". If you want it at runtime then kcadm.sh is your
> friend, should be examples in the docs on how to do that one.
>
> On Mon, 10 Dec 2018 at 10:52, Thomas Darimont <
> thomas.darimont at googlemail.com> wrote:
>
>> Hello Keycloak-Users,
>>
>> I'd like to create users solely for Keycloak instance provisioning
>> operations (e.g. via kcadm.sh), which should not able to login via the
>> admin-console.
>>
>> Does anyone know a way to do this?
>>
>> Cheers,
>> Thomas
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>


More information about the keycloak-user mailing list