Keycloak
Published in

Keycloak

Dynamic Client Registration in Keycloak

In this post, you will learn about the dynamic client registration (clients-registration) API in Keycloak. It's a common use case to create clients in an automated way. Dynamic registration in Keycloak can be done in two ways:

  • Using Admin API

Admin API allows you to register clients but will require escalated admin privileges which can be a security concern. To prevent providing an application admin privileges. Another way would be using the Client registration API where client registration policies can control privileges.

Client Registration API

The Client Registration Service endpoint is

keycloak_server_host:port/auth/<realm>/clients-registrations/<provider>.

Providers: default, install, openid-connect,saml2-entity-descriptor

This post focuses on default provider.

Running a Keycloak Instance with realm: demo. Client Registration end-point would look like

http://127.0.0.1:8180/auth/realms/demo/clients-registrations/default

Sample Golang Application

Code Repository: https://github.com/akoserwal/keycloak-integrations/tree/master/kc-dynamic-client

Objective: The application showcase the creation of a dynamic client in Keycloak. it stores the client id & registration token in a local PostgreSQL database. Registration is required for making any further operations of the client.

Keycloak

make keycloak/setup

Go under the Realm setting, and let’s create “Initial Access Tokens”. With Settings for example

  • Expiration: 30 days

Configure the token in the application

Once you copy paste the Initial access token. Let's configure the local database

Postgresql Db

make db/setup

Create a table in Postgresql Db with help of any PostgreSQL client.

CREATE TABLE public.clients (
client_id varchar(100) NULL,
registration_token text NULL
);

RegisterDynamicClient

Create a public client in the `demo` realm and store the client_id & registration access token in the database.

It will create a public client with the following config. You can create clients based on your preferred options

{
"name": "test-client",
"redirectUris": []string{"https://127.0.0.1"},
"consentRequired": false,
"standardFlowEnabled": true,
"implicitFlowEnabled": false,
"serviceAccountsEnabled": false,
"publicClient": true,
"frontchannelLogout": false,
"fullScopeAllowed": false,
}

Once the client is created. The response body contains a ‘registration access token’. The registration access token will be required for the client update/delete operations. It is required to store the client_id & registration access token in the database.

Let’s Run the Application

Client created in Keycloak

Let's take a look at the client's table. (already created a couple of other clients)

Now check the Initial Access Token config page under realm settings. You can see the remaining count: 2. Created 8 clients in the Keycloak.

What happens if I try to create 2 or more clients

Now the Remaining count: is 0. if I try creating another client. API will respond with an Error

{"error":"invalid_token","error_description":"No remaining count on initial access token"}

This way client application is limited in the number of clients that can be created which were mentioned during the creation of the initial access token.

Deletion

Let’s try to delete one of the clients. For deletion of the client, first, we need to retrieve the stored registration access token from the client's table & request the client-registration delete end-point.

deletion

Search for the client in Keycloak. Confirms the client deletion.

Client Registration Policies

By default, anonymous access policies are applied to every unauthenticated request. if you are using an Initial access token then authenticated access policies are applied

Trusted Hosts policy

Created a trusted host policy with hostname allowed: `http://example.com` (It can be a list of host/IP addresses)

Now try to create a client

{
"error": "insufficient_scope",
"error_description": "Policy 'tr' rejected request to client-registration service. Details: Host not trusted."
}

This shows client registration policies provide efficient ways to restrict client operations. In the case of Admin API, this level of granular restriction can not be configured.

Conclusion

We looked into setting up the initial access token and a sample golang application, which creates a dynamic client & stores the registration token. Added policy for trusted host restrictions. Dynamic client registration API/policies provide a powerful way to support client management automation with restricted privileges to the client application. Thank you for reading this post.

If you like this post, give it a Cheer!!!

Follow the Collection: Keycloak for learning more…

Happy Secure Coding ❤

--

--

Open Source Identity Solution for Applications, Services and APIs

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store