How does the default security-admin-console
client use the realm-management
client? That’s probably not crystal clear, so I’ll elaborate. The Keycloak Admin Console (written in Angular) uses the default security-admin-console
client. Admin permissions are determined by the realm-management
client (the realm-management client is documented here). For example, if you want an administrator to be able to view audit events, give them the view-events
role in the realm-management
client, then the admin can login to the Keycloak Admin Console, which uses the security-admin-console
client, to view events.
What I don’t understand is how the security-admin-console
“uses” the realm-management
client. I’ve looked at the configuration of both clients, and I don’t see any mappers to connect the two together. How does the security-admin-console
“know about” realm-management
roles? I assume the interaction is still governed by OIDC, so I expected some kind of mapping.
I’m not just asking for curiosity’s sake. My team has decided to create a purpose-built administration console. (The existing admin console is great, but we need some other features like drop-down menus for attributes.) The console will be a purely client-side application, just like the existing Keycloak Admin Console. So far we have no difficulty implementing this, but not knowing not the answer to the above question makes me doubt our design.
Our custom admin console, which we based off of Keycloak’s excellent js-console example, uses the security-admin-console
client to send REST requests to Keycloak. The configuration is simply this:
{
"realm": "our-realm",
"auth-server-url": "http://localhost:8081/auth/",
"ssl-required": "none",
"resource": "security-admin-console",
"public-client": true,
"confidential-port": 0
}
And I can see that the REST requests are constrained by the user’s realm-management
permissions – without the appropriate permissions, requests are Forbidden. But I don’t understand how they’ve been constrained. We’re using the security-admin-console
client, not the realm-management
client, so how is Keycloak authorizing the request?
Now, let’s say I wanted to create my own client instead of reusing security-admin-console
, but I still wanted to use realm-management
permissions. I can do so by adding the realm-management
roles to the new client’s scope. If I do this, realm-management
will appear in the aud
list of the token, roles appear in the resource_access
claim, and requests to Keycloak are authorized. That makes sense, but it’s not how it works for security-admin-console
: realm-management
isn’t in the aud
list, and the realm-management
roles don’t appear in the resource_access
claim: it just magically works.