[keycloak-user] Creating a Keycloak Admin Client without a Password

[Chris Smith]

Use case


  *   The realm is federated with Active Directory


  *   An end user creates him or herself using the standard out of the box kc self-service support


  *   The only app they access is an web app for completing their registration.
  *   This web app server (Tomcat) is running as a Active Directory Domain Admin.
  *   This active directory Domain Admin is also a Realm Admin in Keycloak


  *   All the info needed about the end user to complete their registration is available as odic claims and values entered by the user in the web app


  *   The web app uses the Keycloak Admin Client to complete the user setup.


  *   The Keycloak Admin Client is currently instantiated with an embedded the userid and password for the Realm Admin

I really do not like having the AD Domain Admin user and password embedded in the web app.

The same AD Admin user is configured into the KC AD LDAP/Kerberos federation with a Kerberos keytab file.
Can the Keycloak Admin Client be instantiated from the AD Domain Admin running the Web App?

Any AD experts have any recommendation about what are the minimum AD admin rights needed for the ad User running the Web App server and AD LDAP/Kerberos federation?