How to delete/disable master realm programmatically after --import-realm

Getting advice
1

We use keycloak in our software stack as a way of shipping our on-prem software with built-in user management. Therefore we import a realm programmatically on first launch via --import-realm and set up an initial admin user and all the necessary clients and permissions, etc. The integration is working great.

However, there is a single user left in the master realm which is dangling around with “super admin” permissions and no actual real user identity. This user serves no purpose, as we already assign users in our imported realm with realm-management permissions. Therefore, how can the following be achieved:

  • No additional user / identity outside of the initially imported realm
  • Initial “factory” state of keycloak is ready to go, so no manual steps via UI after first launch to e.g. disable master realm or delete user, all programmatically on first launch
  • Admin and Account UI still fully usable

There are three potential ways of achieving this:

1) Delete default user in master realm during initial launch
How could this be done? Via API, but how does the initial auth look like? Directly in the database, but is this safe?

2) Disable master realm entirely
Same question as in 1) about doing this on first launch of keycloak via API or database or other means. Also it is unclear from the docs how this will affect keycloak in general e.g. with regards to the admin and account UI.

3) Delete master realm
Apart from the question on how this could be done programmatically, it probably also completely disables the shipped admin and account UI.

Is there an easier way to achieve this? Has anyone tried this before and found a good solution? Any help or input would be very much appreciated!

2

Don’t disable or delete the master realm, otherwise you won’t be able to manage Keycloak anymore at a certain point during lifetime!

3

Hi @dasniko, thanks for the quick response, your input is much appreciated.

Don’t disable or delete the master realm, otherwise you won’t be able to manage Keycloak anymore at a certain point during lifetime!

Okay agreed. My main concern here however is that we are shipping keycloak as an integrated component rather than a managed service. Most of our users won’t know that they used keycloak to sign in, and only a handful will use the admin ui, mainly to create or delete users in our imported realm. Even those will be “end-users” of the software and by no means keycloak experts.

The remaining user in the master realm (and the realm itself for that matter) therefore feels very redundant currently and has the potential to become the classic admin/admin default login that nobody is aware of (different realm, different URL) or rotates passwords for and therefore may pose an actual security risk.

I realize that we are using keycloak here in a very specific manner which deviates from the classic publicly hosted (and managed by admins) identity provider setup. We use it to secure a single application, hosted on the same server. Integration has been great so far though and I’m wondering if there is a way to tackle this last remaining concern.