https://issues.jboss.org/browse/KEYCLOAK-2522
On 2/22/2016 9:02 AM, Christian Bauer wrote:
Hi
I'm trying to implement a multi-tenant system that should use Keycloak, from its
Docker image. I'd like to use the Keycloak admin API from another container. My first
goal is to create a new client in the master realm for my tenant administration app, then
create realms for each tenant, etc.
To do this I'm using the admin-cli client in the master realm with public direct
grant authentication, and I can get an authentication token with superuser roles for the
admin user.
Next I tried to POST /auth/realms/master/clients/default with a client representation and
the admin-cli bearer token. This is forbidden, because though I have superuser roles, I
don't have the Constants.REALM_MANAGEMENT_CLIENT_ID resource roles required in
ClientRegistrationAuth:177.
I'm not sure I'm doing this right. The console web UI probably has the same roles
if I'm logged in as admin and it's able to create users.
I guess I could step further through the code to find the difference. Other options
I've considered:
- Don't create a new client in the master realm and continue using the admin-cli
client for superuser tasks.
- Adjust the Docker image bootstrap so it exports the initial database, then manipulate
the exported files with some JSON transformer, then import again.
- Hacking the themes/Angular frontend of the security-admin-console and use this to
implement my tenant/user administration app.
Thoughts?
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com