Groups keyboard shortcuts have been updated
Dismiss
See shortcuts

Realm Admin via User/Client in Master vs in the realm itself

63 views
Skip to first unread message

Björn Eickvonder

unread,
Nov 28, 2024, 5:13:39 PM11/28/24
to Keycloak User
Hi,

as many folks do we configure Keycloak via Config as Code. We initially did this with keycloak-config-cli but now are switching to the terraform module.
The main question from a security perspective thas comes up in both cases is what credentials should we use for this CI-Config-As-Code administration.

You can either define a user or use a confidential client for that purpose. All documentation on this topic advices to use the client. But I wonder why this is the preferred approach? Using a client currently has the downside that its client secret is visible to everyone that has at least read access to the realm and the clients while the user password is securely stored as a hash only.

Secondly, you can either define that user/client in the master realm and grant him administrative rights for the realm(s) it should be able to manage or you define that user/client directly in the realm it is supposed to manage. What is the preferred approach here, especially from a security point of view?

Björn

Thomas Darimont

unread,
Nov 28, 2024, 5:42:47 PM11/28/24
to Keycloak User
Hello Björn,

IMHO using a dedicated client with client_credentials grant and proper service account roles for managing the realm configurations is the best way to go. Unfortunately the current version of the terraform provider,
which recentrly moved to the keycloak org btw., only supports client authentication via client secret, as shown here: https://github.com/keycloak/terraform-provider-keycloak/blob/master/keycloak/keycloak_client.go#L261

To improve security we could also support for authentication via private key JWT via "client_assertion_type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" and a proper client JWT send as "client_assertion".
We would then configure "private key jwt" as auth method for the client and add configure the client certificate in the client JWKS configuration.

Kind regards,
Thomas

Reply all
Reply to author
Forward
0 new messages