Grant a Keycloak client service account permissions to create realm users without using the broad manage-users role

Question

I have a web application that is leveraging Keycloak for IdM.

I am using the Resource Owner Password Credentials or Direct Grant flow for authentication which uses REST API calls to /auth/realms/{realm}/protocol/openid-connect/token instead of browser redirects to get the user a JWT.

I would like to implement a similar workflow for signing users up.

Looking at the Keycloak documentation it appears the Keycloak Admin API exposes an endpoint for this at /auth/admin/realms/{realm}/users.

To allow clients to interact with the Keycloak Admin API you have to create a client service account and associate it with a keycloak role with sufficient privilege to manage realm users.

The expected approach for this seems to be to apply the manage-users realm specific role to the client service account. This is more permissions than I would like to grant to the client.

Is there a way to grant a client service account just the ability to create new users and not the full set of permissions that comes with manage-users?

Answer 1

Indeed it seems that you cannot edit the manage-users role or create a new one with more fine grain control from the console. Looking at the source code you will probably have to fork the repo and add your expected behavior.

The way seems to be to create a new variable in the AdminRoles.java file like:

public static String CREATE_USERS = "create-users";

https://github.com/keycloak/keycloak/blob/d9b271c22a170e003f328873a6a05a2665e7f79b/server-spi-private/src/main/java/org/keycloak/models/AdminRoles.java#L46

Then use it only in the places where the MANAGER_USERS enum is used for the users creation in the source code, it seems to be under the UserPermissions.java, RolePermissions.java, GroupPermissions.java and RealmAuth.java files.

Then build your custom keycloak distribution following the official guideline: https://github.com/keycloak/keycloak#building-from-source