Reputation: 663
Difference between client-id and id of client in Keycloak
Well, the title speaks for itself. In many places from Keycloak docs I encountered this statement
id of client (not client-id)
For now this statement sounds so stupid to me as I do not understand the difference between client-id and id of the client. Can somebody explain me this, please?
Upvotes: 9
Views: 8859
Answers (2)
Reputation: 444
ID of a client id
In Keycloak every resource gets a unique id, which is a UUID, including clients. The purpose of the ID is to allow for precise and unambiguous identification of the client within Keycloak. This is necessary because human-readable identifiers like client-id can be changed, but the internal id cannot. The unchangeable, unique id ensures integrity and consistency of references to the client within Keycloak's internal system and database.
Client-ID of a client client-id
The client-id (which is human-readable) is crucial for OAuth2/OpenID Connect interactions. This identifier is sent as the client-id parameter in requests to the authorization server (Keycloak in this case). It's used for client identification, and the server uses it to look up the client's settings and other data. The client-id is exposed to users and systems outside of Keycloak, unlike the internal ID.
Contextual Interpretation: In the documentation and in common use, client-id typically refers to the human-readable identifier, while id or "ID of a client" refers to the internal, non-human-friendly UUID. However, as @vladimir-salin mentioned, it's always best to refer to the specific context to ensure correct interpretation. For instance, when using Keycloak's REST API, you'll mostly be using the internal id.
Definition of a "client"
"Clients are entities that can request Keycloak to authenticate a user. Most often, clients are applications and services that want to use Keycloak to secure themselves and provide a single sign-on solution. Clients can also be entities that just want to request identity information or an access token so that they can securely invoke other services on the network that are secured by Keycloak." ~ Quote sourced from www.keycloak.org
Conclusion
While both id and client-id serve as identifiers for a client in Keycloak, they serve different purposes and are used in different contexts - the id for internal use by Keycloak and its APIs, and the client-id for external use in OAuth2/OpenID Connect interactions.
Upvotes: 1
Reputation: 3030
When you're creating a new client, you specify its Client ID (or simply client's name), e.g. "my-super-client". This is supposed to be unique across the realm and usually used in OAuth calls, e.g. as a client_id in "Client Credentials" flow (in pair with client_secret).
However, when creating a new client, KeyCloak issues an internal unique ID like this 3f7dd007-568f-4f4a-bbac-2e6bfff93860. You may find it in a URL when opening a page of your "my-super-client" in the web interface. This one is supposed to be a unique ID of any resource that KeyCloak creates during its lifespan.
Keeping this in mind, I think it'd be clear from the context of documentation which one is "id of client" and which one is "client-id" as you stated in the question. If not, please give a link here.
Upvotes: 8
Related Questions
- Keycloak client vs user
- Do Keycloak Clients have a Client Secret?
- specify user id when creating user in keycloak
- How to get id (not clientId) of client in keycloak?
- Why is 'id' called 'sub' in keycloak?
- Does user id(sub) change or not in keycloak?
- Keycloak 'ID' as an Attribute Release to a Client
- Keycloak Missing parameters: client_id
- Keycloak: how to get client_id where the user registered?
- xAuth on OAuth2 client_id vs client_key?