Getting Started with Service Accounts in Keycloak
Keycloak is an open source Identity and Access Management solution which is suitable for modern applications and services. Keycloak provides various support like Single-Sign On and Single-Sign Out for browser applications, OpenID Connect support, OAuth 2.0 support, SAML support. Documentation for keycloak is provided here.
In this tutorial, we will be focusing on configuration of service accounts in keycloak and its benefits in the system. Service accounts are great for administrative tasks executed on behalf of a service instead of individual user. We will be using the OpenIdConnect protocol in this tutorial.
OpenIdConnect and OAuth2 provide 4 major kinds of grant-types which can be used with keycloak. They are:
1. Authorization code
2. Client credentials
3. Resource owner password
4. Implicit
We won’t dive deep into each of the grant-type as detailed explanation has been provided in [RFC6749].
For this tutorial, we will be using docker image of Keycloak and it is configured with the Postgresql database server. Please find the docker-compose yml below.
$docker-compose -f {docker_yaml} upNow, that everything is running. Let’s get started.
It is recommended that one does not use the master realm in keycloak to manage the users and applications in the organization. The master realm should be only reserved for the super admins to create and manage the realms in the system.
While configuring each client, keycloak provides options for enabling each of the above mentioned grant-types. They are:
Standard Flow Enabled -> AuthorizationCode Grant Type
Implicit Flow Enabled -> Implicit Grant Type
Direct Access Grants Enabled -> Resource Owner Password Grant Type
Service Accounts Enabled -> Client Credential Grant TypeIn this tutorial, we will be creating a realm and a client with its service account enabled. We can create the realm in various ways.
1. User Interface(UI)
2. Command Line Interface(CLI)
3. API Requests
Let’s create realm using CLI. So let’s jump into the docker container with this command.
$docker exec -ti $(docker ps -aqf “name={keycloak_container_name}”) bash
$cd /opt/jboss/keycloak/bin/Login to the keycloak account the command below
$./kcadm.sh config credentials — server http://localhost:8080/auth — realm master — user admin — password adminLet’s create the realm “demo” with the cli command
$./kcadm.sh create realms -s realm=demo -s enabled=trueLet’s create a new client “demoapp” in the realm with the command below
$./kcadm.sh create clients -r demo -s clientId=demoapp -s enabled=true -s clientAuthenticatorType=client-secret -s secret=00000000–0000–0000–0000–000000000000We get the client_id of the client in the realm using command below.
$./kcadm.sh get clients -r demo — fields id,clientIdCLI output:[ {
“id” : “dec98534–891b-4c2d-b662–435fa66f73c6”,
“clientId” : “realm-management”
}, {
“id” : “70c1caed-5275–48db-ad01–290f551c1e39”,
“clientId” : “broker”
}, {
“id” : “8fff6733–2788–492e-b9cb-7c8af46777c7”,
“clientId” : “demoapp”
}, {
“id” : “aa3406d3-ae5e-4871-a50a-28cbb8af483b”,
“clientId” : “security-admin-console”
}, {
“id” : “482d78f7-ece7–4bfb-93f7-fa6359658a41”,
“clientId” : “account”
}, {
“id” : “4a7db38d-c39a-4c19-aa52–911f2eb1c09b”,
“clientId” : “admin-cli”
} ]
Now we update the client configuration to enable the service account.
./kcadm.sh update clients/8fff6733-2788-492e-b9cb-7c8af46777c7 -r demo -s 'redirectUris=["*"]' -s serviceAccountsEnabled=trueHere, "8fff6733-2788-492e-b9cb-7c8af46777c7" is the my client_id of "demoapp" client
With this, we have created a realm in keycloak having a client with service account enabled. As we can see in the image below,
Now, let’s try to get the access token of the client using client-credential grant-type. I have written a basic python code using requests library. Please see the image below.
We can also use curl request for the same with username and password base64 encoded.
curl --location --request POST 'http://localhost:8088/auth/realms/demo/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Basic ZGVtb2FwcDowMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDA=' \
--data-urlencode 'grant_type=client_credentials'Upon sending the request, I received access token as shown below.
Now, that our service account has been created, let’s assign some administrative tasks to it.
Before that, we need to create some users in our realm “demo”.
Let’s create users with username “testadmin”, “demoadmin1” with command below.
$./kcadm.sh create users -r demo -s username=testadmin -s enabled=true$./kcadm.sh create users -r demo -s username=demoadmin -s enabled=true
We can see the creation of users in the UI as shown in the image below.
The importance of the service accounts is that we need not use the user admin account always to perform any task. Instead, we can use the service accounts to perform the functioanality.
So, let’s jump into the UI
DEMO(realm) -> Demoapp(Client) -> Service Account Roles(Tab)
Let’s assign a functionality “view-users” to the service account.
We can find this role under “Client Roles” -> Realm-management
Click on “view-users” Role in available roles and assign it to the service account as shown in the image below. This will assign the role of viewing the user list to the client “Demoapp” in the keycloak realm “Demo”.
Now, let’s test the functionality.
I have written a basic code which interacts with keycloak and fetches the token of the client “Demoapp” and this token is used for getting the list of users in that realm.
Upon sending the request, we get the response as shown below.
Thus, we have tested the functionality of getting the list of users in the realm by means of service account. Similarly, we can perform various other functions using the service accounts.
That’s all for this post!
Thank you for reading. If you like it, then share it!