We use keycloak in our software stack as a way of shipping our on-prem software with built-in user management. Therefore we import a realm programmatically on first launch via --import-realm and set up an initial admin user and all the necessary clients and permissions, etc. The integration is working great.
However, there is a single user left in the master realm which is dangling around with “super admin” permissions and no actual real user identity. This user serves no purpose, as we already assign users in our imported realm with realm-management permissions. Therefore, how can the following be achieved:
- No additional user / identity outside of the initially imported realm
- Initial “factory” state of keycloak is ready to go, so no manual steps via UI after first launch to e.g. disable master realm or delete user, all programmatically on first launch
- Admin and Account UI still fully usable
There are three potential ways of achieving this:
1) Delete default user in master realm during initial launch
How could this be done? Via API, but how does the initial auth look like? Directly in the database, but is this safe?
2) Disable master realm entirely
Same question as in 1) about doing this on first launch of keycloak via API or database or other means. Also it is unclear from the docs how this will affect keycloak in general e.g. with regards to the admin and account UI.
3) Delete master realm
Apart from the question on how this could be done programmatically, it probably also completely disables the shipped admin and account UI.
Is there an easier way to achieve this? Has anyone tried this before and found a good solution? Any help or input would be very much appreciated!