using dedicated admin client to manage users in multiple realms
63 views
Skip to first unread message
zam...@gmail.com
Jan 21, 2025, 4:29:46 PM1/21/25
to Keycloak User
Hi
Imagine building an app that is a client (app-web-manager) in realm R1 and has to manage users in R1 but also in realm R2 (potentially in the future in realms R3, R4...).
This app will internally use Node.js Admin Client to do so:
https://github.com/keycloak/keycloak/tree/main/js/libs/keycloak-admin-client
The admin client will, in turn will use its own client definition (this way the application that uses the admin client can have its custom logic on how admin client is used)...
(Note: when I mention "admin client" I am NOT refering to KC provided "admin-cli" ROPC based client here)
What is the best solution / right approach for app-web-manager using dedicated admin client:
1. create a confidential client in "master" realm (app-admin-cli), that will use Client Credentials and give its service account roles specific for each realm (R1-realm.manage-users, R2-realm.manage-users)
or
2. in each realm, R1 and R2, create a dedicated confidential clients (app-r1-admin-cli, app-r2-admin-cli) with Client Credentials and then to each of client's service account, add special "realm-management.manage-users" role.
Option 1 seems more "streamlined" and results in 1 admin client being used to manage users in multiple realms while option 2 would require admin client for each realm that app-web-manager would need to "switch" between when using Node.js admin client...
Is option 1 OK to use?
P.S.
We also don't need fine grained admin permissions - "manage-users" is OK for us...
This app will internally use Node.js Admin Client to do so:
https://github.com/keycloak/keycloak/tree/main/js/libs/keycloak-admin-client
The admin client will, in turn will use its own client definition (this way the application that uses the admin client can have its custom logic on how admin client is used)...
(Note: when I mention "admin client" I am NOT refering to KC provided "admin-cli" ROPC based client here)
What is the best solution / right approach for app-web-manager using dedicated admin client:
1. create a confidential client in "master" realm (app-admin-cli), that will use Client Credentials and give its service account roles specific for each realm (R1-realm.manage-users, R2-realm.manage-users)
or
2. in each realm, R1 and R2, create a dedicated confidential clients (app-r1-admin-cli, app-r2-admin-cli) with Client Credentials and then to each of client's service account, add special "realm-management.manage-users" role.
Option 1 seems more "streamlined" and results in 1 admin client being used to manage users in multiple realms while option 2 would require admin client for each realm that app-web-manager would need to "switch" between when using Node.js admin client...
Is option 1 OK to use?
P.S.
We also don't need fine grained admin permissions - "manage-users" is OK for us...
Reply all
Reply to author
Forward
0 new messages