[keycloak-user] Design concerns on automated Keycloak Client addition to a realm

Orestis Tsakiridis orestis.tsakiridis at telestax.com
Tue Mar 8 10:03:18 EST 2016

Thanks Stian!

Client Registration service passed under my radar (still on 1.6.1).

I was wondering, Initial Access Tokens seem to be only generated from the
Administration Console. Is there a REST API for that ?

On Fri, Mar 4, 2016 at 12:09 PM, Stian Thorgersen <sthorger at redhat.com>

> For dynamic registration of clients take a look at
> http://keycloak.github.io/docs/userguide/keycloak-server/html/client-registration.html
> On 4 March 2016 at 09:12, Orestis Tsakiridis <
> orestis.tsakiridis at telestax.com> wrote:
>> Hello,
>> I'm trying to design a keycloak-based system that will have the following
>> characteristics:
>> * A single realm R will exist with a big set of users.
>> * Users will be able to install instances of software X that consists of
>> four (4) applications protected by keycloak.
>> * Each application in any instance of X will have a corresponding
>> Keycloak Client entity containing a set of application-level roles. Thus,
>> having the appropriate role,m a user of R can selectively be granted access
>> to any application of any instance of X.
>> * The addition of a new instance of X to the keycloak realm (the creation
>> of the Clients, client roles etc.) is called 'registration' and will be
>> done using the Keycloak Admin REST API.
>> What's the best practice to achieve automatic registration of a new
>> instance to the realm?
>> I've considered the following:
>> a. Have the instance applications *directly* consume keycloak Admin REST
>> API and create Clients and Client roles. As far as i investigated users of
>> the instance will need to have a  R:realm-management:manage-clients role in
>> order to do that (create-client didn't work). This seems a pretty
>> permissive role to give to any user in R.
>> b. Have a separate keycloak-protected application that won't be part of X
>> to do the important work of 'registration'. It will work as a proxy. The
>> application will act on behalf of an administrator user with a powerfull
>> role like R:realm-management:realm-admin. The application will define it's
>> own set of roles and HTTP API for instance registration. All users will
>> have to go through it to register their instance. It will work as a proxy.
>> But they won't need to be granted dangerous roles to do it.
>> Any suggestion will be more than welcome.
>> Thanks
>> Orestis
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160308/0a1fcec9/attachment.html 

More information about the keycloak-user mailing list