Hello Group,
What's the current best practice to manage users in multiple realms via
the keycloak-admin-client?
A simple variant is to create a dedicated confidential client
"internal-realm-admin" in
the master realm with only "direct access grants: on" and "service
accounts enabled: on"
and "standards flow enabled: off".
Given that the Keycloak contains two other realms "tenant1" and
"tenant2"
besides master
we want to enable the service account for "internal-realm-admin" to manage
users (CRUD)
for those realms only.
Now this service client gets the following service-account client roles:
* "tenant1-realm": "manage-users" and "view-clients" (to
list the
applications)
* "tenant2-realm": "manage-users" and "view-clients" (to
list the
applications)
Now one can use this single client in a centralized service to manage both
realms
with a keycloak-admin-client constructed like this:
KeycloakBuilder.builder() //
.realm("master")
.serverUrl("http://192.168.99.1:8080/auth")
.clientId("internal-realm-manager")
.clientSecret("SECRET")
.grantType(OAuth2Constants.CLIENT_CREDENTIALS)
.build();
To manage users in tenant1 one can now do something like that:
keycloak.realm("tenant1").users().create(userRepresentation)
and for tenant2 ...
keycloak.realm("tenant2").users().create(userRepresentation)
Some Advantages:
+ one can globally manage users via a single centralized client
+ you can quickly generate a new secret for this single service
+ you don't need a dedicated user to manage other users
Some Disadvantages
- in certain environments this can be seen as a too privileged user / client
- user management operations are performed with the client service account
and not a "real" user
I think with this approach one is quite flexible and still has the
possibility to create
a dedicated (tenant) realm admin user / client and exclude it from the
"internal-realm-admin"
for tenants who needs explicity control over their user management.
Thoughts?
Cheers,
Thomas