Keycloak Admin Client in Spring Boot

Question

I’m having some trouble to use keycloak-admin-client in spring boot.

If I try with this code I get 401 (unauthorized):

public Keycloak getKeycloakInstance() {
  var keycloak = KeycloakBuilder.builder()
   .serverUrl(SERVER_URL)
   .realm(REALM)
   .username(USERNAME)
   .password(PASSWORD)
   .clientId(CLIENT_ID)
   .build();
  return keycloak;
}

Also, if I put .resteasyClient(....) and .clientSecret(...) in the code above i get badrequest.

In the client roles I created a new composite role and gave all realm-management roles to it, maybe I configured something wrong?

Where can I find some documentation on how to use this Admin Client Dependency?

<dependency>
 <groupId>org.keycloak</groupId>
 <artifactId>keycloak-admin-client</artifactId>
 <version>10.0.0</version>
</dependency>

Answer 1

Question answered in keycloak discourse by @zonaut. Maybe it helps someone!

"Personally I would choose example 2, creating a dedicated service account client as we are communicating service to service".

Example 1 -> Using a user

1. Create new client under your desired realm -> keycloak-admin
2. Select public client with only direct access grant enabled
3. Create new role, enable composite roles
   • type realm-managment into client roles under composite roles
   • add available roles that you need
4. Select a user and open role mappings tab
   • type keycloak-admin in client roles and add needed roles

Code:

    Keycloak keycloak = KeycloakBuilder.builder()
    .serverUrl("http://localhost:8080/auth")
    .grantType(OAuth2Constants.PASSWORD)
    .realm("realm-name")
    .clientId("keycloak-admin")
    .username("username")
    .password("password")
    .resteasyClient(
        new ResteasyClientBuilder()
            .connectionPoolSize(10).build()
    ).build();

keycloak.tokenManager().getAccessToken();
RealmResource realmResource = keycloak.realm("realm-name");

Example 2 -> Using a confidential service account

1. Create new client under your desired realm -> keycloak-admin
2. Select confidential client with only service account enabled
3. Select tab service account roles
   • type realm-management into client roles
   • add available roles that you need

Code:

Keycloak keycloak = KeycloakBuilder.builder()
    .serverUrl("http://localhost:8080/auth")
    .grantType(OAuth2Constants.CLIENT_CREDENTIALS)
    .realm("realm-name")
    .clientId("keycloak-admin")
    .clientSecret("1c7e2815-c4dc-401c-af2f-ebddad3b4a79")
    .resteasyClient(
        new ResteasyClientBuilder()
            .connectionPoolSize(10).build()
    ).build();

keycloak.tokenManager().getAccessToken();
RealmResource realmResource = keycloak.realm("realm-name");

Example 3 -> Using admin account

You could also use the admin user with the password grant and use the existing admin-cli client.

Keycloak keycloak = KeycloakBuilder.builder()
    .serverUrl("http://localhost:8080/auth")
    .grantType(OAuth2Constants.PASSWORD)
    .realm("master")
    .clientId("admin-cli")
    .username("admin")
    .password("password")
    .resteasyClient(
        new ResteasyClientBuilder()
            .connectionPoolSize(10).build()
    ).build();

keycloak.tokenManager().getAccessToken();
RealmResource realmResource = keycloak.realm("realm-name");