[keycloak-user] Create client in master realm with API

[Christian Bauer]

Hi

I'm trying to implement a multi-tenant system that should use Keycloak, from its Docker image. I'd like to use the Keycloak admin API from another container. My first goal is to create a new client in the master realm for my tenant administration app, then create realms for each tenant, etc. 

To do this I'm using the admin-cli client in the master realm with public direct grant authentication, and I can get an authentication token with superuser roles for the admin user.

Next I tried to POST /auth/realms/master/clients/default with a client representation and the admin-cli bearer token. This is forbidden, because though I have superuser roles, I don't have the Constants.REALM_MANAGEMENT_CLIENT_ID resource roles required in ClientRegistrationAuth:177.

I'm not sure I'm doing this right. The console web UI probably has the same roles if I'm logged in as admin and it's able to create users.

I guess I could step further through the code to find the difference. Other options I've considered:

- Don't create a new client in the master realm and continue using the admin-cli client for superuser tasks. 

- Adjust the Docker image bootstrap so it exports the initial database, then manipulate the exported files with some JSON transformer, then import again.

- Hacking the themes/Angular frontend of the security-admin-console and use this to implement my tenant/user administration app. 

Thoughts?