Reputation: 1507
Is it possible to create keycloak users without admin credentials?
I have a spring boot application which use keycloak for user management. But the keycloak instance is a production one and I don't have admin credentials. I following keycloak realm information.
#Keycloak settings
keycloak.auth-server-url=https://myapp.com/auth/
keycloak.realm=project-realm
keycloak.resource=project-client
keycloak.credentials.secret=secret
keycloak.use-resource-role-mappings=true
keycloak.bearer-only=true
keycloak.ssl-required=external
auth.token.url=https://myapp.com/auth/realms/my-realm/protocol/openid-connect/token
auth.grant.type=client_credentials
When I try do perform user management operations using keycloak rest api I get 403 Forbidden response. Here the authorization token is generated using above realm credentials.
method: POST
url:https://myapp.com/auth/realms/project-realm/protocol/openid-connect/token
contentType: application/x-www-form-urlencoded
body:
client_id: project-client
grant_type: client_credentials
client_secret: secret
But when I use a local keycloak instance and generate authorization token using admin credentials this works fine.
method: POST
url:http://localhost:8180/auth/realms/master/protocol/openid-connect/token
contentType: application/x-www-form-urlencoded
body:
client_id: admin-cli
grant_type: password
username: admin
password: admin
What I need to know is do I need admin credentials (username, password) to perform these user management operation using Keycloak rest api? Or am I doing something wrong?
Upvotes: 5
Views: 4539
Answers (1)
Reputation: 51453
When I try do perform user management operations using keycloak rest api I get 403 Forbidden response. Here the authorization token is generated using above realm credentials.
This happens because
method: POST
url:https://myapp.com/auth/realms/project-realm/protocol/openid-connect/token
contentType: application/x-www-form-urlencoded
body:
client_id: project-client
grant_type: client_credentials
client_secret: secret
your client project-client does not have the proper admin-related roles to perform the Admin Rest API calls.
What I need to know is do I need admin credentials (username, password) to perform these user management operation using keyclaok rest api? Or am I doing something wrong?
No. You can perform those same tasks with another user or client as long as they have the appropriate roles. To fix your problem you can do the following:
- Go to the realm where the client
project-clientis; - Go to Clients and select the client
project-client; - Switch to the tab
Service Account Roles; - In the
Client Rolesdropdown menu selectrealm-management; - Select and assign the roles accordingly:
Upvotes: 4
Related Questions
- How to get Keycloak users via REST without admin account
- Creating keycloak users through spring boot
- Keycloak admin client
- How to integrate Keycloak with Spring boot(API) without login page
- create user in keycloak 4.8.3 programmatically with java
- Keycloak Admin Client in Spring Boot
- Cannot create user in Keycloak with keycloak-admin-client
- How to access keycloak with the admin-client?
- Assign role to user Keycloak Admin Client
- Create user in keycloak through keycloak admin client returns IllegalArgumentException