Categories:

Keycloak Client Setup for User Creation

Avatar image of
Posted by pkcadmin
Tweet
Share
Share
Pin
0 Shares

This guide provides step-by-step instructions for configuring a Keycloak client to enable programmatic user creation via API.

Overview

Keycloak is an open-source identity and access management system. To enable an external application or integration to create users in a Keycloak realm, a client must be configured with the appropriate permissions, scopes, and roles.

1. Add a Keycloak Identity Provider

  • Add and Configure Identity Provider:
    • Click “Add provider” and select the required provider type.
    • Enter the Name and other related settings.
    • Save the configuration.

2. Create a Client Scope

  • Navigate to Client Scopes:

  • In the admin console, go to Client Scopes.

  • Create a Scope:

    1. Click “Create client scope.”

    2. Name it: Create_users.

    3. Optionally add a description.

  • Assign Roles: In the Create_users scope, add the role: realm-management: manage-users

  • Save the client scope.

3. Assign Scope to Client

  1. Select Your Client:

    • Go to the Clients section and select the client to use.

    • Open the client update view for capability options.

  2. Attach Client Scope:

    • Navigate to the Client Scopes tab.

    • Assign Create_users to the client.

  3. Add Service Account Roles:

    • In Service Account Roles for this client, add:

      • realm-management: manage-users

      • account: manage-account

4. Test the Setup Using Postman

Step 1: Obtain Access Token

POST to: https://auth.xxx.xx/realms/xxx-testbox/protocol/openid-connect/token

Body (x-www-form-urlencoded):

  • client_id: (your client ID)
  • client_secret: (your client secret)
  • grant_type: client_credentials

The response will include an access_token.

Step 2: Create a User

POST to: https://auth.xxx.xx/admin/realms/xxx-testbox/users

Headers:

  • Authorization: Bearer <access_token>
  • Content-Type: application/json
Body:
{
  "username": "john2223",
  "email": "hiva@mailinator.com",
  "enabled": true,
  "firstName": "Es 3",
  "lastName": "Doe2 34",
  "credentials": [
   {
     "type": "password",
     "value": "password"
   }
  ]
}

Step 3: Verify User Creation

  • Open the Keycloak admin console and go to Users.
  • Confirm the user appears in the list.

Notes

  • Replace all placeholder values (such as client IDs, secrets, and user information) with actual data for each environment.
  • Assigning roles incorrectly or omitting scopes can cause authorization errors.
  • If issues occur, verify client scopes and service account roles.
Tweet
Share
Share
Pin
0 Shares
Tags: