Hello, I am using version 20 of Key Cloak. Several third parties should be able to create user accounts for their users in one Realm and only be able to see and edit the users they have created. Is it possible to achieve this directly without the need for connection to another system? Please guide me.
I really do not think the question or the problem is sufficiently defined to get an answer. You will need to be more specific. Try to explain exactly what you need or want to do. That part “achieve this directly without the need for connection to another system” is especially confusing.
Maybe you do not have a clear idea yourself what you need / want to do so trying to be more explicit and give more details will already help yourself at least to understand better?
And there is no space between Key and Cloak, It is simply Keycloak
I apologize for my incomplete explanations and spelling mistakes regarding Keycloak. Let me explain the process very simply for you.
We have a product that is sold not only by ourselves but also by our business partner. Our business partner needs to be able to create user accounts for their customers in “Keycloak” and be able to modify their user information or passwords if necessary. Ultimately, they should provide login information to each of their customers.
We have created a new “Realm” and within this “Realm,” we have created a “Client” for our product.
Now, in addition to ourselves, our business partner needs to be able to create users for this Realm and only be able to edit the users they have created. They should not have access to users created by us.
How can I accomplish this?
Ok, with this explanation things are a lot more clear. For me, at the first glance the question is: do you need to have the users in the same realm or you can model the problem with different realms? One for the company, and then a separate realm for each partner.
But if these users MUST exists in the same realm (but I would be curios to hear why), then I can think of using a user federation. It is quite straighforward if you know Java, as you can implement an SPI that will give you this capability (actually any capability if you have the possibility to write the code). Of course there is no direct solution in this case, you actually need to create an implementation, put it in a jar, and start your keycloak with that custom extension. As an example of what I am talking about you can glance here: https://www.appsdeveloperblog.com/keycloak-user-storage-spi-example-with-remote-service/ (not sure it solves your problem, is just an example of what I mean by User Federation).
Of course, there might be easier ways, and I hope that if everyone more knowledgeable in Keycloak than me has better ideas you should listen to them. But a federation gives you the option to write there any kind of code you want.
Now is not clear if the company and the partners will work on the same users, or there are different users, or if there is only one partner, or multiple, each partner with their own set of users, who might or might not overlap, things can get complicated. Of course the source of truth for users can be Keycloak, or they can come from any other external system, or via LDAP for example. Or you can use an external IDP provider integrated in Keycloak, and your users can come via the IDP. Plus is not clear what Full Management vs Limited Access means, which is very important.
Also, not sure why you would want to have a third party setting up the passwords on behalf of users and send them. I hope at least they are marked temporary and the user will set up a password only known by him. Why not simply send an email link via the actions? Anyway, even though it is explained much better is still a very vague problem and as far as I know Keycloak does not offer anything like this out of the box, but has a rich set of different SPIs that you can use to implement any behaviour you wish.
Good luck with this implementation!
1 Like