Skip to content

Adding a Keycloak Client (Agent)

This guide outlines the process of creating and configuring a new client (acting as an an agent) within your Keycloak realm.

Client Creation Steps

  1. Create New Client:

    • Navigate to the Clients section in your Keycloak realm.
    • Click the "Create" button to start the new client creation process.
    • Reference Image: 1.create_client.png

  2. Configure General Client Parameters: Set the following parameters for the new client. (Note: Specific values for Client ID, Root URL, Valid Redirect URIs, and Web Origins will depend on your application's requirements, as shown in the referenced images.)

    • Client ID: [Value from image 2] (e.g., your-application-name)
    • Client Protocol: openid-connect
    • Access Type: confidential (This is common for agents that hold a secret)
    • Standard Flow Enabled: OFF (typically for confidential clients acting as agents)
    • Implicit Flow Enabled: OFF
    • Direct Access Grants Enabled: OFF
    • Service Accounts Enabled: ON (Crucial for an 'agent' client)
    • Authorization Enabled: OFF (unless your agent specifically uses Keycloak's authorization services)
    • Root URL: [Value from image 2] (e.g., https://your-api.com/)
    • Reference Image: 2.set_following_parameters.png

  3. Define Allowed API URLs (Scopes): Specify the API URLs that this client is permitted to interact with. These are typically configured in the Valid Redirect URIs and/or Web Origins fields, which define the allowed callback URLs after authentication.

    • Valid Redirect URIs: List all API URLs that are allowed to be used by this client.
      • [URL 1 from image 3]
      • [URL 2 from image 3]
      • ...
    • Web Origins: * (commonly used for development/broad access, or specific origins)
    • Reference Image: 3.list_accessinble_api_urls.png

  4. Retrieve Client Secret: After saving the client configuration, navigate to the Credentials tab for the newly created client.

    • The Client secret displayed here will serve as the password for this client when it authenticates with Keycloak.

Associated FLD User Configuration

The user associated with this Keycloak client in FLD (presumably another system) should follow a specific naming convention:

  • FLD User Code Structure: service-account-${clientId}
  • Example: For a Keycloak client with Client ID aixdirekt, the corresponding FLD user should be service-account-aixdirekt.
  • Reference Image: 4.FLD_user_name_for_client.png