I've read many tutorials on setting up a realm in Keycloak but it's nowhere mentioned that Keycloak is creating a client called <your-realm-name>-realm in master realm with set of roles:
Why is it needed?
Is the custom realm a form of a client for a Keycloak itself so it needs to create a kind of "virtual" client to handle that relation?
This automatically created client has a set of roles which look to me like a Keycloak internal roles:
Where can I find them in a documentation?
Is the custom realm a form of a client for a Keycloak itself so it
needs to create a kind of "virtual" client to handle that relation?
Kind of; from the Keycloak Documentation itself:
The master realm is a special realm that allows admins to manage more
than one realm on the system. You can also define fine-grained access
to users in different realms to manage the server.
The master realm in Keycloak is a special realm and treated differently than other realms. Users in the Keycloak master realm can be granted permission to manage zero or more realms that are deployed on the Keycloak server. When a realm is created, Keycloak automatically creates various roles that grant fine-grain permissions to access that new realm.
Admin users within the master realm can be granted management privileges to one or more other realms in the system. Each realm in Keycloak is represented by a client in the master realm. The name of the client is [realm name]-realm. These clients each have client-level roles defined which define varying level of access to manage an individual realm.
It is just an implementation detail; Notwithstanding, it makes it easier to conceptually think of the master realm as the top of the pyramid followed by its clients, in which are included the other realms as well. Furthermore, it also allows you to managed the realms from the point of view of the master realm, for instance:
Adding permissions in the form of roles to the other realms. Other approaches would likely be good as well, but the Keycloak developers opted for this one.
Related
I'm trying to create a user in Keycloak admin console, but it has effective roles that should not be there. In addition to default realm roles, each user, when created, has odd Effective Roles. And I can't understand, where they come from. Even when I delete all assigned roles, effective roles just stay there.
This does not happen usually, seems like a problem with your Keycloak setup and installation.
Have you checked the default roles at realm level? Roles shown in screenshot belong to realm-management client.
If you are using master realm, I'd suggest you to create a new realm other than master and use it.
I am using Keycloak 18.0 for Angular 13 + Spring Boot App. The solution utilizes Microservices architecture pattern for this app so basically Keycloak already guards access to other solution resources. I am using only Keycloak REST API.
The problem is Keycloak security itself:
I want to restrict Keycloak client token only to user creation.
Any user has to be able:
1. Fully access and manage ONLY his own profile.
2. Has restricted access to profiles of other users.
3. Any other operation of viewing other users, adjusting
roles etc. should be enabled only if authenticated user
has some kind of permission to do it.
For example:
Anybody can create user (signup).
After user is verified, some role is assigned to that user.
User logs in and acquire its token that has permissions to fully manage only his own resources including user itself and has restricted access to other users and user resources.
I am not sure I want to integrate Keycloak as resource security manager (i am considering that option but for now, only Spring Boot Adapter was implemented to control corresponding resources security) but at least i would like to prevent e.g. reading full list of users using Keycloak client token.
I have basic understanding of Keycloak Resource/Policy/Permission Feature but I am not sure i understand how can i apply it to Keycloak users itself.
Thanks a lot in advance for your help.
We are currently in the process of migrating our user authentication to Keycloak, using an OIDC server. The issue is that the architecture of some of our client applications rely on existing user tables, linked to numerous other tables throughout the services.
How can we go about keeping Keycloak users in sync with the client user, so that if a customer deletes or creates a user on Keycloak, it's reflected in that client DB? Is this generally done through overwriting OIDC methods?
Similarly, when a user logs in through Keycloak, we will require a lookup on the client DB to get additional attributes for the access token, such as the client userId and accountId for that user. Can this be done via overwriting thetransformAccessToken method and making a request to the client BE?
Keycloak provides some built-in roles to manage keycloak itself. These roles are defined in the realm-management client of every non-master realm. As example, I can define a user which has the permissions to manage users. But now this user can change all the roles of all the users. The user can even change the role of itself.
In our application we need a hierarchical role structure in the following way. We have a root, admin and some other specific application roles. The root role should be able to manage the keycloak customer realm as also some application specific functionality. The admin role should have the permissions to manage users and also some application specific functionality.
I have tried to model that in keycloak the following way. I have two realm roles root and admin as also some client (my-app) roles root, admin, edit and view. The realm roles are composite roles which use their counterpart in the client (root -> may-app.root, admin -> my-app.admin).
Now, the issues is that the admin user can change it's role to root. How can I restrict the permissions of the admin user to allow only to manage user or roles that are on the same level or below? Is their such built-in functionality or should I provide my own UI on top of the Keycloak REST API?
We are considering to use the keycloak as our SSO framework.
According to the keycloak documentation for multi-tenancy support the application server should hold all the keycloak.json authentication files, the way to acquire those files is from the keycloak admin, is there a way to get them dynamically via API ? or at least to get the realm public key ? we would like to avoid to manually add this file for each realm to the application server (to avoid downtime, etc).
Another multi-tenancy related question - according to the documentation the same clients should be created for each realm, so if I have 100 realms and 10 clients, I should define the same 10 clients 100 times ? is there an alternative ?
One of our flows is backend micro-service that should be authenticated against an application (defined as keycloak client), we would like to avoid keeping user/psw on the server for security reasons, is there a way that an admin can acquire a token and place it manually on the server file system for that micro service ? is there a option to generate this token in the keycloak UI ?
Thanks in advance.
All Keycloak functionality is available via the admin REST API, so you can automate this. The realm's public key is available via http://localhost:8080/auth/realms/{realm}/
A realm for each tenant will give a tenant-specific login page. Therefore this is the way to go - 10 clients registered 100 times. See more in the chapter Client Registration of the Keycloak documentation. If you don't need specific themes, you can opt to put everything in one realm, but you will lose a lot of flexibility on that path.
If your backend micro service should appear like one (technical) user, you can issue an offline token that doesn't expire. This is the online documentation for offline tokens. Currently there is no admin functionality to retrieve an offline token for a user by an admin. You'll need to build this yourself. An admin can later revoke offline tokens using the given admin API.