Assign groups to service accounts

Is it possible to assign groups to service accounts (the one used by confidential clients)? If yes, how?

Thank you very much,

1 Like

Any advice on this?

Thank you!

I was looking into this myself. It appears you can place a service account into a group using the API.

Call this to get the UUID-based user id for the service account user for the client

GET /auth/admin/realms/master/clients/{client-id}/service-account-user

Call this to add the service account user to the group

PUT /auth/admin/realms/master/users/{service-account-user-id}/groups/{group-id}

What I’m curious about is if there are any side effects of doing this. As it is not supported by the UI, I’m curious as to whether that is intentional or just a lower-priority feature.

Thank you! i’ve managed also to perform the operation via ui… getting the ID of the service account and using it in the user-account detail page (inserting the id in the url). Also this works :wink:

Don’t know about the side-effect, maybe someone from Redhat (@pedroigor) can help us?

thank you again

@joshdcollins @reste85 Did you ever encounter any issues when doing this??

I am considering doing this with “team-owned” clients where teams are modeled with group membership. One benefit I’m seeing is that authorization policies that check for membership in a particular group work whether the accessing identity is from a user or a service account.

An alternative is to use an attribute mapper on the client or something similar.

hi Steven,
I’ve encountered no issues doing this with Keycloak 6.0.1