Transfer client configuration between environments

Question

For securing a frontend application, I created a new Keycloak client with a custom configuration:

• mapper which includes "client roles"
• scope configuration
• client-specific roles (composite and non-composite roles)

This setup works fine in the local development setup. Now we need to transfer this configuration to the other environments like develop/preproduction/production stage.

As far as I understand, Keycloak offers the following exports:

1. Complete realm
2. Specific client

It looks as if both apporaches have some major drawbacks. Either I would need to overwrite the complete realm (which I definitely don't want to do in production) or I can import the basic client configuration which is missing all the roles.

And as soon as we, for example, add more roles later on, then we would need to re-configure all stages manually.

Is there some "good practice" how to deal with that? Does keycloak offer some kind of "sync" between stages?

Answer 1

I thought it is hard answer question. it is compare API call vs UI configuration.

Disadvantage of API call I prefer API call but it takes a time to figure out API function and call order is matter and some properties missing in parent have to set detail in child, complicated structure API URL path ( example id/property/id/property), require more deep of knowledge for Keycloak.

Advantage of API call more fine tunning fast, easy organize from top to bottom (example configure client, Auth resources, auth scopes, policies and permissions to other environment), can transfer 100% configuration.

Disadvantage of UI configuration - not flexible, if un-match, id makes error, can't update/add a partial data (example get client's resource missing it's scopes - it have to set by separate API call), can't move 100% configuration from source to target environment, can make human error

Advantage of UI configuration - easy, quick even manual

My preference is API call - using Postman (single API call or running correction for a sequence of API call - at the local and develop stage, can simple unit test and check HTTP status) and curl call with Bash Schell for higher stage. If check condition of target, can handle scenario based transfer(example already setting, skip that configuration)

One more tips, If using a debug section by F12 in Chrome or Firefox, can see the API call in network tab. It saves time to figure out API call methods and payload/response JSON data.