Make use of client-credentials in the Keycloak admin client #963
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This suggests to drop the support for username-password credentials in the Keycloak admin client. There is no real need to change it, but it might be considered a better practice to actually make use of the secret instead since it's the desired form of providing the authentication in a machine-to-machine communication. It would also be easier to adjust the required permissions for the service account in more restricted scenarios. But this is open for discussion.
Please note that this is considered as a breaking change and you are most probably encountering the following error during the first startup:
To update a running project please ensure:
keycloak
block in theapplication.yml
is updated:username
andpassword
.admin-client-secret
.Credentials
tab in your admin client (usuallyadmin-cli
in theSHOGun
realm):Client authentication
andService accounts roles
settings enabled.realm-management
role for the service accounts roles (e.g.realm-admin
, but this might be adjusted/lowered to project needs).Please review @terrestris/devs.
Related issues or pull requests
--
Pull request type
Do you introduce a breaking change?
Checklist
Apache Licence Version 2.0.
mvn test
locally).