Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make use of client-credentials in the Keycloak admin client #963

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

dnlkoch
Copy link
Member

@dnlkoch dnlkoch commented Dec 23, 2024

Description

This suggests to drop the support for username-password credentials in the Keycloak admin client. There is no real need to change it, but it might be considered a better practice to actually make use of the secret instead since it's the desired form of providing the authentication in a machine-to-machine communication. It would also be easier to adjust the required permissions for the service account in more restricted scenarios. But this is open for discussion.

Please note that this is considered as a breaking change and you are most probably encountering the following error during the first startup:

Error: clientSecret required with grant_type=client_credentials

To update a running project please ensure:

  • The keycloak block in the application.yml is updated:
    • Remove username and password.
    • Add admin-client-secret.
  • To obtain the client secret check the Credentials tab in your admin client (usually admin-cli in the SHOGun realm):
    • Ensure the client has Client authentication and Service accounts roles settings enabled.
    • Set the desired realm-management role for the service accounts roles (e.g. realm-admin, but this might be adjusted/lowered to project needs).

Please review @terrestris/devs.

Related issues or pull requests

--

Pull request type

  • Bugfix
  • Feature
  • Dependency updates
  • Tests
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes, no api changes)
  • Build related changes
  • Documentation content changes
  • Other (please describe)

Do you introduce a breaking change?

  • Yes
  • No

Checklist

  • I understand and agree that the changes in this PR will be licensed under the
    Apache Licence Version 2.0.
  • I have followed the guidelines for contributing.
  • The proposed change fits to the content of the code of conduct.
  • I have added or updated tests and documentation, and the test suite passes (run mvn test locally).
  • I have added a screenshot/screencast to illustrate the visual output of my update.

BREAKING CHANGE: username password combination in the keycloak admin client is no longer supported
@dnlkoch dnlkoch force-pushed the keycloak-client-credentials branch from feed96d to ae42666 Compare December 23, 2024 10:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant