Hello,

I'm trying to design a keycloak-based system that will have the following characteristics:

* A single realm R will exist with a big set of users.
* Users will be able to install instances of software X that consists of four (4) applications protected by keycloak.
* Each application in any instance of X will have a corresponding Keycloak Client entity containing a set of application-level roles. Thus, having the appropriate role,m a user of R can selectively be granted access to any application of any instance of X.
* The addition of a new instance of X to the keycloak realm (the creation of the Clients, client roles etc.) is called 'registration' and will be done using the Keycloak Admin REST API.

What's the best practice to achieve automatic registration of a new instance to the realm?

I've considered the following:

a. Have the instance applications *directly* consume keycloak Admin REST API and create Clients and Client roles. As far as i investigated users of the instance will need to have a  R:realm-management:manage-clients role in order to do that (create-client didn't work). This seems a pretty permissive role to give to any user in R.

b. Have a separate keycloak-protected application that won't be part of X to do the important work of 'registration'. It will work as a proxy. The application will act on behalf of an administrator user with a powerfull role like R:realm-management:realm-admin. The application will define it's own set of roles and HTTP API for instance registration. All users will have to go through it to register their instance. It will work as a proxy. But they won't need to be granted dangerous roles to do it.

Any suggestion will be more than welcome.

Thanks

Orestis