[keycloak-user] Create realm from java admin client with access token vs username+password

Fri Mar 9 04:12:43 EST 2018

Sometimes you already have an access token - your java client may have a
custom login mechanism for example that delegates username and password
input in order to retrieve it interactively from user. In that case client
doesn't even have to know about username and password - it only receives
fresh access and refresh tokens for example. A concrete example is
Registration Client CLI which stores the tokens in a private file so it
doesn't need to ask client for username and password all the time, and can
just use a still valid access token / refresh token.

For your case you'll want to create a custom client configuration, protect
it with clientId and client secret (or signed jwt), and enable the service
account for that client.

See: http://www.keycloak.org/docs/latest/server_admin/index.
html#_service_accounts

On Wed, Mar 7, 2018 at 8:31 PM, Nhut Thai Le <ntle at castortech.com> wrote:

> Hello,
>
> In the admin client i see there is an overload method to create Keycloak
> instance using a token, (Keycloak.getInstance(serverUrl, realm, clientId,
> authToken)), is this considered more secure than using the
> username+password since if i'm using the access token in the method above,
> i still need to make another call earlier with the username + password to
> get the token, either way, the username +password will be in my code repo.
>
> I think i can create an account in the master realm with role create-realm,
> can I use that as a service account or there is an existing service account
> somewhere in the master realm?
>
> I'm trying to integrate keycloak to my multitenancy application where each
> client has his own realm to config his security. My application need to
> create the realm when the client register to my app.
>
> Thai
>
> --
> Castor Technologies Inc
> 460 rue St-Catherine St Ouest, Suite 613
> Montréal, Québec H3B-1A7
> (514) 360-7208 o
> (514) 798-2044 f
> ntle at castortech.com
> www.castortech.com
>
> CONFIDENTIALITY NOTICE: The information contained in this e-mail is
> confidential and may be proprietary information intended only for the use
> of the individual or entity to whom it is addressed. If the reader of this
> message is not the intended recipient, you are hereby notified that any
> viewing, dissemination, distribution, disclosure, copy or use of the
> information contained in this e-mail message is strictly prohibited. If you
> have received and/or are viewing this e-mail in error, please immediately
> notify the sender by reply e-mail, and delete it from your system without
> reading, forwarding, copying or saving in any manner. Thank you.
> AVIS DE CONFIDENTIALITE: L’information contenue dans ce message est
> confidentiel, peut être protégé par le secret professionnel et est réservé
> à l'usage exclusif du destinataire. Toute autre personne est par les
> présentes avisée qu'il lui est strictement interdit de diffuser, distribuer
> ou reproduire ce message. Si vous avez reçu cette communication par erreur,
> veuillez la détruire immédiatement et en aviser l'expéditeur. Merci.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user