Keycloak automatically creates realm client in master realm
I've read many tutorials on setting up a realm in Keycloak but it's nowhere mentioned that Keycloak is creating a client called <your-realm-name>-realm in master realm with set of roles:
Why is it needed?
Is the custom realm a form of a client for a Keycloak itself so it needs to create a kind of "virtual" client to handle that relation?
This automatically created client has a set of roles which look to me like a Keycloak internal roles:
Where can I find them in a documentation?
Is the custom realm a form of a client for a Keycloak itself so it needs to create a kind of "virtual" client to handle that relation?
Kind of; from the Keycloak Documentation itself:
The master realm is a special realm that allows admins to manage more than one realm on the system. You can also define fine-grained access to users in different realms to manage the server.
The master realm in Keycloak is a special realm and treated differently than other realms. Users in the Keycloak master realm can be granted permission to manage zero or more realms that are deployed on the Keycloak server. When a realm is created, Keycloak automatically creates various roles that grant fine-grain permissions to access that new realm.
Admin users within the master realm can be granted management privileges to one or more other realms in the system. Each realm in Keycloak is represented by a client in the master realm. The name of the client is [realm name]-realm. These clients each have client-level roles defined which define varying level of access to manage an individual realm.
It is just an implementation detail; Notwithstanding, it makes it easier to conceptually think of the master realm as the top of the pyramid followed by its clients, in which are included the other realms as well. Furthermore, it also allows you to managed the realms from the point of view of the master realm, for instance:
Adding permissions in the form of roles to the other realms. Other approaches would likely be good as well, but the Keycloak developers opted for this one.
- Keycloak lost admin password
- Second login with remote IdP through Keycloak fails, "Invalid username or password"
- Spring boot application won't start after adding keycloak integration
- React app navigation after authentication via keycloak
- Use variable in Keycloak email subject
- Keycloak Account API returns Unauthorized 401 with token from user logged in via my spring client
- Best Practices for Associating userId (from JWT) with Google OAuth Tokens
- How to keep the realms, users and roles in Keycloak to be persisted when using docker and docker compose to run it
- How to load initial realm in keycloak server with docker?
- Keycloak not accepting a/any custom LoginFormsProviders
- keycloak token introspection always fails with {"active":false}
- Enable "Extend to children" doesn't work - Keycloak UI
- Role-based authentication not working with Keycloak and Java Spring
- Keycloak error on console " violating Content Security Policy directive: "frame-ancestors 'self'"
- Keycloak authorization_code invalid format
- nest-keycloak-connect realmUrl missing first part of the url
- Keycloak set password policy via Rest API
- superset keycloak integration on https
- Keycloak: getting back from user profile page
- Keycloak + SPA as client (Vue) + Spring Cloud Gateway as resource server + Spring Boot Microservices
- Use Keycloak Spring Adapter with Spring Boot 3
- KeyCloak - How to add Role's attribute into a user JWT (Access Token)?
- Keycloak - Client Roles - Retrieve custom attributes
- Configure Keycloak OTP via Administration REST API
- Blazor Hosted WebAssembly with Keycloak and Basic Authentication Issue
- KeyCloak Integration with Azure B2C UserName Mapping Issue
- Keycloak: Not able to load admin GUI/console
- Keycloak retrieve custom attributes to KeycloakPrincipal
- Keycloak SSL setup using docker image
- How to change keycloak jvm arguments via CLI in standalone configuration