Hi,
as many folks do we configure Keycloak via Config as Code. We initially did this with keycloak-config-cli but now are switching to the terraform module.
The main question from a security perspective thas comes up in both cases is what credentials should we use for this CI-Config-As-Code administration.
You can either define a user or use a confidential client for that purpose. All documentation on this topic advices to use the client. But I wonder why this is the preferred approach? Using a client currently has the downside that its client secret is visible to everyone that has at least read access to the realm and the clients while the user password is securely stored as a hash only.
Secondly, you can either define that user/client in the master realm and grant him administrative rights for the realm(s) it should be able to manage or you define that user/client directly in the realm it is supposed to manage. What is the preferred approach here, especially from a security point of view?
Björn