Integrating service accounts with Keycloak for backend services
TypeScriptTo integrate service accounts with Keycloak for backend services using Pulumi, you would typically need to perform the following steps:
-
Create a Realm: A realm in Keycloak represents a space where managed users, credentials, roles, and groups are isolated from other realms.
-
Create a Client: Clients in Keycloak are entities that can request authentication of a user. For service accounts, you generally use 'bearer-only' access type clients, which means they can't interactively participate in the authentication process.
-
Enable Service Accounts for the Client: This is an important aspect of setting up a client for backend services where you need automated access without human interaction.
-
Define Roles and Scopes: Define the roles and assign required scopes that your service account client will use to interact with Keycloak-protected resources.
-
Obtain Token: After setting up, you would authenticate against Keycloak to receive a token that provides access to backend services.
Here's a basic Pulumi program in TypeScript that demonstrates how to set up a Keycloak realm and client with a service account for backend services. This example assumes you have the Keycloak provider set up and configured in your Pulumi program:
import * as pulumi from "@pulumi/pulumi"; import * as keycloak from "@pulumi/keycloak"; // Create a new Keycloak Realm const realm = new keycloak.Realm("my-realm", { realm: "myrealm", enabled: true, }); // Create a Keycloak Client for backend services const serviceClient = new keycloak.openid.Client("service-client", { realmId: realm.id, clientId: "backend-service", name: "Backend Service Client", description: "Client for backend services", enabled: true, clientAuthenticatorType: "client-secret", serviceAccountsEnabled: true, standardFlowEnabled: false, // Disable standard flow for service accounts directAccessGrantsEnabled: false, // Disable direct access for security reasons accessType: "CONFIDENTIAL", // Access type confidential for service accounts }); // Output the client id, which will be used to obtain tokens export const clientId = serviceClient.id; // Output the service account user id associated with the client export const serviceAccountId = serviceClient.serviceAccountUserId;
Explanation:
keycloak.Realm
: This resource creates a new realm in Keycloak with the specified name and enables it.keycloak.openid.Client
: This resource registers a new client within the realm. We set theserviceAccountsEnabled
totrue
to allow for service accounts. We also setstandardFlowEnabled
anddirectAccessGrantsEnabled
tofalse
, which is common for backend services that don't require user interaction.export const clientId
: This line allows you to retrieve the client ID after the Pulumi program is executed, which you can use to interact with Keycloak's APIs.export const serviceAccountId
: Similar to the client ID, this will output the service account user ID for programmatic access.
Remember to replace dummy values like
"my-realm"
and"backend-service"
with actual values suitable for your use case. After executing this Pulumi program, your service accounts will be set up in Keycloak, and you can use the client credentials to authenticate against Keycloak and obtain tokens for accessing protected backend services.-