3:41 a.m.
Hello Keycloak-Users,
I'd like to create users solely for Keycloak instance provisioning
operations (e.g. via kcadm.sh), which should not able to login via the
admin-console.
Does anyone know a way to do this?
Cheers,
Thomas
4 a.m.
If you want this before startup you can use the add-user-keycloak.sh script
with "--roles". If you want it at runtime then kcadm.sh is your friend,
should be examples in the docs on how to do that one.
On Mon, 10 Dec 2018 at 10:52, Thomas Darimont <
thomas.darimont(a)googlemail.com> wrote:
Hello Keycloak-Users,
I'd like to create users solely for Keycloak instance provisioning
operations (e.g. via kcadm.sh), which should not able to login via the
admin-console.
Does anyone know a way to do this?
Cheers,
Thomas
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
4:18 a.m.
Hi Stian,
Thanks for the quick response but that's not exactly what I want to do.
I know how to add a keycloak user via add-user-keycloak.sh, what I don't
know is how to ensure
that this user can only be used for provisioning operations via kcadm.sh
and is NOT able to use the admin-console.
Background is:
- I want to secure the keycloak admin user with an additional OTP token.
This works fine for the admin-console but then I
cannot use kcadm.sh anymore with that user, because of the additional
token.
- I now want to create a dedicated technical user for provisioning
operations that cannot login to the admin-console.
Cheers,
Thomas
Am Mo., 10. Dez. 2018 um 11:00 Uhr schrieb Stian Thorgersen <
sthorger(a)redhat.com>:
If you want this before startup you can use the add-user-keycloak.sh
script with "--roles". If you want it at runtime then kcadm.sh is your
friend, should be examples in the docs on how to do that one.
On Mon, 10 Dec 2018 at 10:52, Thomas Darimont <
thomas.darimont(a)googlemail.com> wrote:
> Hello Keycloak-Users,
>
> I'd like to create users solely for Keycloak instance provisioning
> operations (e.g. via kcadm.sh), which should not able to login via the
> admin-console.
>
> Does anyone know a way to do this?
>
> Cheers,
> Thomas
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
1:53 a.m.
If I don't remember incorrectly kcadmin supports client credentials grant.
So you can use a service account instead of a regular user and use JWT
based auth or mutual SSL. Even client-id/secret would work as service
accounts can't login to admin console, but they can use admin endpoints.
On Mon, 10 Dec 2018 at 11:18, Thomas Darimont <
thomas.darimont(a)googlemail.com> wrote:
Hi Stian,
Thanks for the quick response but that's not exactly what I want to do.
I know how to add a keycloak user via add-user-keycloak.sh, what I don't
know is how to ensure
that this user can only be used for provisioning operations via kcadm.sh
and is NOT able to use the admin-console.
Background is:
- I want to secure the keycloak admin user with an additional OTP token.
This works fine for the admin-console but then I
cannot use kcadm.sh anymore with that user, because of the additional
token.
- I now want to create a dedicated technical user for provisioning
operations that cannot login to the admin-console.
Cheers,
Thomas
Am Mo., 10. Dez. 2018 um 11:00 Uhr schrieb Stian Thorgersen <
sthorger(a)redhat.com>:
> If you want this before startup you can use the add-user-keycloak.sh
> script with "--roles". If you want it at runtime then kcadm.sh is your
> friend, should be examples in the docs on how to do that one.
>
> On Mon, 10 Dec 2018 at 10:52, Thomas Darimont <
> thomas.darimont(a)googlemail.com> wrote:
>
>> Hello Keycloak-Users,
>>
>> I'd like to create users solely for Keycloak instance provisioning
>> operations (e.g. via kcadm.sh), which should not able to login via the
>> admin-console.
>>
>> Does anyone know a way to do this?
>>
>> Cheers,
>> Thomas
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
10:27 p.m.
Hello Thomas,
To authenticate, kcadm uses direct grant and client credentials grant (aka service
account) against the admin-cli client. You can create an admin user and prohibit
interactive login for him only with a one-line JavaScript authenticator inside your
browser flow. This won't affect either of the grant types used by kcadm. A bit hacky,
but should work 100%.
Good luck,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
On Mon, 2018-12-10 at 10:41 +0100, Thomas Darimont wrote:
Hello Keycloak-Users,
I'd like to create users solely for Keycloak instance provisioning
operations (e.g. via kcadm.sh), which should not able to login via the
admin-console.
Does anyone know a way to do this?
Cheers,
Thomas
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2202
days inactive
2203
days old
4 comments
3 participants
participants (3)
-
Dmitry Telegin -
Stian Thorgersen -
Thomas Darimont