Keycloak - Manage realm with user from different realm

Asked 13/5, 2020 at 14:27 Answered 25/10, 2022 at 12:59

Is possible to have user in one realm to manage another realm in keycloak? My goal is to have 2 realms - adminRealm & userRalm. In adminRealm should be users, which will be able to log in to our admin app and there they could create via Keycloak rest api "ordinary user" which will be placed into userRealm.

Currently my solution working over one realm, where I have admin user which is able to log into my admin app and there he can create users in the same realm. But if I want create users to another realm, I get 403 error. So is there any way how to allow admin user to manage another realm (eg create users etc.)?

Chromatograph answered 13/5, 2020 at 14:27 Comment(1)

I am not sure, but I think you need to enable the admin-cli/admin app for this user. I do not remember the exact name because I cannot access the Keycloak server right now, but it should in the list of apps that come preinstalled, like the account ui etc. – Prent 13/5, 2020 at 20:48

You should use master realm for storing admin accounts. Non master realms are isolated from each other. If you look to the clients list in master realm you should see that every realm represented by client with OIDC id like "foo-realm". This clients represents administration REST API for corresponding realms, and users with granted roles from this clients could perform admin requests to corresponding apis.

For example you have foo realm which will contain ordinary application users. To achieve your goal to introduce admin accounts that will be able to manage users from foo you have to create foo-admin user in master realm and grant him foo-realm.realm-admin role. Now this user has total control over foo realm and no control over master realm. You also can map foo-realm.realm-admin role to some group in master realm and add users to it (so if any changes appears in future you will have to change only group role settings)

Psychopath answered 14/5, 2020 at 6:28 Comment(3)

Thanks for quick reply and explanation. I used your suggestion with master realm and role and it's working correctly. – Chromatograph 14/5, 2020 at 9:5

What if i can't use master realm for some reason. Can we add master realm permission to another realm as well? – Aldo 15/5 at 11:0

@Aldo master-realm stuff can be controller/configured only via master realm. But I haven't work with keycloak for a long time, maybe things have changed – Psychopath 16/5 at 13:9

In case you use terraform your solution would look like this:

data "keycloak_realm" "master" {
  realm = "master"
}

data "keycloak_openid_client" "realm_management" {
  realm_id  = data.keycloak_realm.master.id
  client_id = "foo-realm"
}

data "keycloak_role" "query_users" {
  realm_id  = data.keycloak_realm.master.id
  client_id = data.keycloak_openid_client.realm_management.id
  name      = "query-users"
}

data "keycloak_role" "manage_users" {
  realm_id  = data.keycloak_realm.master.id
  client_id = data.keycloak_openid_client.realm_management.id
  name      = "manage-users"
}

resource "keycloak_user_roles" "user_admin_roles" {
  realm_id = data.keycloak_realm.master.id
  user_id  = keycloak_user.users_admin.id

  role_ids = [
    data.keycloak_role.query_users.id,
    data.keycloak_role.manage_users.id,
  ]
}

Belgravia answered 25/10, 2022 at 12:59 Comment(0)

Recommended topics

Hot tags