Currently fastapi-keycloak uses the hard-coded client id admin-cli for interacting with keycloaks admin API.
The admin-cli client is usually used for automation and, if configured as a confidential client with a service account, has often a highly provileged account associated with it.
In scenarios where the user wants to reduce the capabilities of what the fastapi-keycloak client is allowed to do it would be helpful to be able to use a dedicated client which for instance has only permission to view-users (dedicated service account with role realm-management.view-users). Therefore it would be helpful to be able to use a custom "admin-client" here.
I think it would be enough to just add an additional parameter admin_client_id to the FastAPIKeycloakinit method.
admin_client_id could default to admin-cli and simply use the given admin-client for accesing the Keycloak admin api.
Currently fastapi-keycloak uses the hard-coded client id
admin-cli
for interacting with keycloaks admin API.The admin-cli client is usually used for automation and, if configured as a confidential client with a service account, has often a highly provileged account associated with it.
In scenarios where the user wants to reduce the capabilities of what the
fastapi-keycloak
client is allowed to do it would be helpful to be able to use a dedicated client which for instance has only permission to view-users (dedicated service account with role realm-management.view-users). Therefore it would be helpful to be able to use a custom "admin-client" here.I think it would be enough to just add an additional parameter
admin_client_id
to theFastAPIKeycloak
init method.admin_client_id
could default toadmin-cli
and simply use the given admin-client for accesing the Keycloak admin api.