KeyCloak - Create Realms/Users/Groups Programmatically?

Question

We've decided to move to KeyCloak for our identity and access management solution, rather than implement it entirely within our Java EE web app. We're creating a multi-tenant solution, and would prefer to create security realms/users/groups programmatically through our workflow, rather than leveraging KeyCloak's self-registration functionality or web UI so that we can do things like grab credit card details for payment, etc. I know that we could likely leverage the admin REST APIs to accomplish this, but I wasn't sure if there was a simpler way to do it besides hand-coding REST calls. Does KeyCloak provide an admin client library that we could use? Or are we stuck implementing a REST client for the admin APIs ourselves?

Answer 1

I found some info around the KeyCloak Java Admin Client. This gist has lots of useful examples showing how to managed users, realms, etc.

Answer 2

Keycloak kc = KeycloakBuilder.builder() 
            .serverUrl("https://localhost:8443/auth")
            .realm("master")
            .username("admin") 
            .password("admin") 
            .clientId("Mycli") 
            .resteasyClient(new ResteasyClientBuilder().connectionPoolSize(10).build()) 
            .build();

    CredentialRepresentation credential = new CredentialRepresentation();
    credential.setType(CredentialRepresentation.PASSWORD);
    credential.setValue("test123");

    UserRepresentation user = new UserRepresentation();
    user.setUsername("testuser2");
    user.setFirstName("Test2");
    user.setLastName("User2");
    user.setEmail("aaa@bbb.com");
    user.setCredentials(Arrays.asList(credential));
    user.setEnabled(true);
    user.setRealmRoles(Arrays.asList("admin"));

    // Create testuser
    Response result = kc.realm("my-realem").users().create(user);
    if (result.getStatus() != 201) {
        System.err.println("Couldn't create user.");
        System.exit(0);
    }else{
        System.out.println("Testuser created.... verify in keycloak!");
    }

Answer 3

You can do this with Keycloak Java admin REST api client :

1. Add dependency to your project :

   • Maven

   <dependency>
       <groupId>org.keycloak</groupId>
       <artifactId>keycloak-admin-client</artifactId>
       <version>15.0.2</version>
   </dependency> 
   

   • Gradle

   implementation 'org.keycloak:keycloak-admin-client:15.0.2'
   

2. Create instance of Keycloak using KeycloakBuilder using Password authentication for your admin user and default admin-cli client:

Keycloak keycloak = KeycloakBuilder.builder()
            .serverUrl("http://localhost:8081/auth")
            .realm("master")
            .clientId("admin-cli")
            .username("admin")
            .password("admin")
            .build();

3. To create new realm use RealmRepresentation:

RealmRepresentation rr = new RealmRepresentation();
rr.setId("test-realm");
rr.setRealm("test-realm");
rr.setEnabled(true);

keycloak.realms().create(rr);

4. To create new user use UserRepresentation:

CredentialRepresentation credential = new CredentialRepresentation();
credential.setType(CredentialRepresentation.PASSWORD);
credential.setValue("1234");

UserRepresentation user = new UserRepresentation();
user.setUsername("test");
user.setFirstName("test");
user.setLastName("test");
user.setEmail("test@gmail.com");
user.setCredentials(Arrays.asList(credential));
user.setEnabled(true);
user.setRealmRoles(Arrays.asList("admin"));

keycloak.realm("test-realm").users().create(user);

5. To create a new Group use GroupRepresentation:

GroupRepresentation groupRepresentation = new GroupRepresentation()
groupRepresentation.setName("group");

Response response = keycloak.realm("test-realm").groups().add(groupRepresentation);

Note that when creating new top level group you should not pass group id - you can retrieve it after the group is created.

Answer 4

The Keycloak Java adapters are focused in usage rather than configuration. You'll need to implement yourself making the necessary calls with the required parameters. There's one tool for that kind of thins, the admin-cli, but I think it won't be useful for your case.