Re: [keycloak-user] How to create a 'provisioning only' user in Keycloak?
If I don't remember incorrectly kcadmin supports client credentials grant.
So you can use a service account instead of a regular user and use JWT
based auth or mutual SSL. Even client-id/secret would work as service
accounts can't login to admin console, but they can use admin endpoints.
On Mon, 10 Dec 2018 at 11:18, Thomas Darimont <
thomas.darimont(a)googlemail.com> wrote:
Hi Stian,
Thanks for the quick response but that's not exactly what I want to do.
I know how to add a keycloak user via add-user-keycloak.sh, what I don't
know is how to ensure
that this user can only be used for provisioning operations via kcadm.sh
and is NOT able to use the admin-console.
Background is:
- I want to secure the keycloak admin user with an additional OTP token.
This works fine for the admin-console but then I
cannot use kcadm.sh anymore with that user, because of the additional
token.
- I now want to create a dedicated technical user for provisioning
operations that cannot login to the admin-console.
Cheers,
Thomas
Am Mo., 10. Dez. 2018 um 11:00 Uhr schrieb Stian Thorgersen <
sthorger(a)redhat.com>:
> If you want this before startup you can use the add-user-keycloak.sh
> script with "--roles". If you want it at runtime then kcadm.sh is your
> friend, should be examples in the docs on how to do that one.
>
> On Mon, 10 Dec 2018 at 10:52, Thomas Darimont <
> thomas.darimont(a)googlemail.com> wrote:
>
>> Hello Keycloak-Users,
>>
>> I'd like to create users solely for Keycloak instance provisioning
>> operations (e.g. via kcadm.sh), which should not able to login via the
>> admin-console.
>>
>> Does anyone know a way to do this?
>>
>> Cheers,
>> Thomas
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>