[keycloak-user] How to create a 'provisioning only' user in Keycloak?

Stian Thorgersen sthorger at redhat.com
Tue Dec 11 02:53:05 EST 2018


If I don't remember incorrectly kcadmin supports client credentials grant.
So you can use a service account instead of a regular user and use JWT
based auth or mutual SSL. Even client-id/secret would work as service
accounts can't login to admin console, but they can use admin endpoints.

On Mon, 10 Dec 2018 at 11:18, Thomas Darimont <
thomas.darimont at googlemail.com> wrote:

> Hi Stian,
>
> Thanks for the quick response but that's not exactly what I want to do.
>
> I know how to add a keycloak user via add-user-keycloak.sh, what I don't
> know is how to ensure
> that this user can only be used for provisioning operations via kcadm.sh
> and is NOT able to use the admin-console.
>
> Background is:
> - I want to secure the keycloak admin user with an additional OTP token.
> This works fine for the admin-console but then I
>   cannot use kcadm.sh anymore with that user, because of the additional
> token.
> - I now want to create a dedicated technical user for provisioning
> operations that cannot login to the admin-console.
>
> Cheers,
> Thomas
>
> Am Mo., 10. Dez. 2018 um 11:00 Uhr schrieb Stian Thorgersen <
> sthorger at redhat.com>:
>
>> If you want this before startup you can use the add-user-keycloak.sh
>> script with "--roles". If you want it at runtime then kcadm.sh is your
>> friend, should be examples in the docs on how to do that one.
>>
>> On Mon, 10 Dec 2018 at 10:52, Thomas Darimont <
>> thomas.darimont at googlemail.com> wrote:
>>
>>> Hello Keycloak-Users,
>>>
>>> I'd like to create users solely for Keycloak instance provisioning
>>> operations (e.g. via kcadm.sh), which should not able to login via the
>>> admin-console.
>>>
>>> Does anyone know a way to do this?
>>>
>>> Cheers,
>>> Thomas
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>


More information about the keycloak-user mailing list