10:07 a.m.
Hi!
Thanks for response.
Re what I'd like to achieve: I'd like to give some people pair
Client/ClientSecret so they could use my Keycloak instance. Since this
instance gets recreated using config management utility very often (e.g. 5
times a day), I need a functionality to be able to specify ClientSecret
when "provisioning" Keycloak instance.
So for my needs - export-import is not good solution - since my server is
started using standalone.sh script as PID=1 inside docker container. Also
it would be hard to execute Export in my case, since docker container
shutdown is also done by config management system - and I'd need to start
standalone.sh again with export set. BTW: when export/import is involved by
migration.action - it seems strange that main server thread is also
starting.
So I've read
https://keycloak.gitbooks.io/documentation/server_admin/topics/admin-cli....
and
https://keycloak.gitbooks.io/documentation/securing_apps/topics/client-re...
In above documents there is describes process of e.g. defining new Clients.
But it does not answer my question at all.
So maybe once again my question: >>> Is specifying 'secret' parameter
into
JSON creating new Client using e.g. "kcadm.sh create clients -r REALM_NAME
-f JSON_FILE.json -i" proper and supported way of passing ClientSecret
value to newly created Client? <<<
AdamLis;
2017-06-20 16:17 GMT+02:00 Marko Strukelj <mstrukel(a)redhat.com>:
You can find doumentation for kcadm.sh at:
https://keycloak.gitbooks.
io/documentation/server_admin/topics/admin-cli.html
Maybe for your usecase you might also want to use kcreg.sh, documentation
for which you can find at: https://keycloak.gitbooks.
io/documentation/securing_apps/topics/client-registration/client-
registration-cli.html
kcreg.sh is meant for use by application developers to self-provision
clients in order to integrate their apps with a Keycloak Server.
There is also a boot time import functionality which you can use to import
the whole realm: https://keycloak.gitbooks.io/documentation/
server_admin/topics/export-import.html
As to your question whether you can base realm / client creation on
Keycloak's export / import functionality or CLI tools the answer is - yes,
that's the idea. If you can't achieve something basic and obvious then the
tools have to be improved.
If you can be more specific what you are trying to achieve and what
exactly you do, then I can give you more specific advice.
Also, if you can be more specific what you were not able to find in the
documentation, we can add it or make it easier to find.
On Tue, Jun 20, 2017 at 2:24 PM, Adam Lis <adam.lis(a)gmail.com> wrote:
> Hi!
>
> I've tried to search for this information in documentation, but not
> succeeded.
>
> Let's assume I'm using keycloak docker container.
>
> Inside running instance I'm willing to add new Client like this:
>
> /opt/jboss/keycloak/bin/kcadm.sh create clients -r REALM_NAME -f
> FILE_CONTAINING_DEFINITION.json -i
>
> So I'm getting actual contents of JSON file for example by exporting
> existing Client (since I see no example in documentation as well)
>
> But in the export software is not setting 'secret' value in case
> 'clientAuthenticatorType' is set to 'client-secret'.
>
> I've anyway tried to add 'secret' field to JSON and it has been accepted
> by
> Keycloak - so Keycloak has created Client with ClientSecret value passed
> by
> JSON file in field named 'secret'.
>
> My question and concern is: does this functionality (setting desired
> ClientSecret on Client creation from JSON) work intended way? Can I base
> my
> whole Realm/Client creation solution on that functionality?
>
> A little background: I'm willing to run Keycloak deployment with docker
> container as part of configuration management - so I'm storing Realm and
> Client data in outside storage and I'm willing to pass these configuration
> pieces into newly started Keycloak inside docker container.
>
> Thanks;
> AdamLis;
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>