[keycloak-user] Allow Client to Create User in Realm without Granting manage-users Role from realm-management

Josh Harness joshua.k.harness at gmail.com
Thu Feb 1 20:01:11 EST 2018


Hi -

We're wanting to use keycloak as our IdP but aren't fully able to allow
users to register since we need to use an existing application to do this.
I need to be able to allow the legacy application to do the following
within the realm:

* Create user
* Reset user password

I'm wanting to avoid giving the application permissions to assign roles,
etc that it ought not be able to. Fine grained permissions looked promising
but it appears that approach won't work since there's no fine-grained
'create user' type permission (that I can tell). As such, I'm stuck using
the all powerful 'manage-users' role of the realm-management client.

Any ideas for alternative approaches to explore? Afraid I might be swimming
upstream here and need to just bite off user registration the correct way...

Thanks!

Josh


More information about the keycloak-user mailing list