Search code examples
keycloakjava-clientpassword-policy

Exclude a user with realm-management role from keycloak's password policy

I have a user with Client Roles realm-management in a realm which contains password policy. I want to exclude this user from the password policy since I use this user to do some operation fetch the roles get all the user via Java API and I don't want all the operation to be drop when the password needs to be updated. I tried to use the admin user from the master realms but I did not get any result

Any ideas?

Solution

  • When you create a realm in keycloak with password policy and you want to exclude the admin user from this policy do this follow these steps :

    When a user creates new realm e.g "FooRealm" keycloak adds sibling client inside the master realm with a suffix -realm, in this case, we will see FooRealm-realm

    1. Inside this client, FooRealm-realm do those changes (settings tab)

      • access type = confidential
      • Standard Flow Enables = ON
      • Direct Access Grants Enables = ON

    2. Create user inside the master realm, In user details, go to: Role Mappings >> Clients Roles and from the drop down menu select the sibling client (FooRealm-realm) and make sure it is own all the roles inside

    3. Now To fetch all the user from the Slave realm FooRealm

      Keycloak keycloak = KeycloakBuilder.builder()
         .serverUrl("http://localhost/auth")
         .realm("master")
         .grantType(OAuth2Constants.PASSWORD)
         .clientId(FooRealm-realm)
         .clientSecret("7f0080cf-xxxx-xxxxx-9115-xxxxxxxxxx")
         .username("sysadmin")
         .password("x123456")
         .build();
RealmResource realmResource = keycloak.realm("FooRealm");

realmResource.users().list(0, 1000);