Categories
IdP Keycloak Linux OIDC OpenID Connect SingleSignOn SSO Ubuntu

Adding keycloak OIDC client via CLI

First: Store credentials for future kcadm.sh calls:

linux # /opt/keycloak/bin/kcadm.sh config credentials --server http://localhost:8080 --realm master --user admin --password 'mysupersecretpassword'
Logging into http://localhost:8080 as user admin of realm master

Now we can use kcadm.sh without entering passwords every time (at least for some time):

linux # /opt/keycloak/bin/kcadm.sh create clients  -r SUBDOM1 -s clientId="Testclient-007"
Created new client with id '361c9f6c-1bce-44ec-8985-25746e391588'

Lessons learned

For security reasons I had TOTP activated for my (master realm) admin account. When trying to add credentials for kcadm.sh usage I always got:

linux # kcadm.sh config credentials --server http://localhost:8080 --realm master --user admin --password 'mysupersecretpassword'
Logging into http://localhost:8080 as user admin of realm master
Invalid user credentials [invalid_grant]

So I had to dig a little deeper: The client used for these operations is “admin-cli“. Looking into its settings there is only “Direct access grants” enabled in “Authentication flow“.

So next thing is to have a look into “Authentication” -> “direct grant“. I changed “Conditional OTP” to “Disabled” temporarily to try the above command again:

linux #  kcadm.sh config credentials --server http://localhost:8080 --realm master --user admin --password 'mysupersecretpassword'
Logging into http://localhost:8080 as user admin of realm master

This time it succeeded. After enabling TOTP again, lets see whether kcadm.sh is still usable:

linux # kcadm.sh get users -r master -q q="username:admin" --fields="username"
[ {
  "username" : "admin"
}, {
  "username" : "service-account-admin-api-access"
} ]

So we found the culprit. But it’s not the final solution: the credentials obtained will expire after some time. Renewal will require the same process over and over again.

Nothing you’d like to do in a production environment.

So let’s switch do client/secret auth.

In order to do so we create a new client (let’s say “admin-api-access“). Now copy “Client secret” from “Credentials” tab and in tab “Service Account Roles” “Assign role” (“Realm roles“): “admin“.

    linux # kcadm.sh config credentials --server http://127.0.0.1:8080 --realm master --client admin-api-access --secret thecopiedsupersecret
Logging into http://127.0.0.1:8080 as service-account-admin-api-access of realm master

    Leave a Reply

    Your email address will not be published. Required fields are marked *