code-specialist / fastapi-keycloak

Keycloak integration for Python FastAPI
https://fastapi-keycloak.code-specialist.com/
Apache License 2.0
195 stars 51 forks source link

Why admin_client_secret? #60

Open cpatrickalves opened 2 years ago

cpatrickalves commented 2 years ago

First, thanks for this great project.

I have a question:

In docs you metion:

Modify the admin-cli client

Settings: Service Accounts Enabled Scope: Full Scope Allowed Service Account Roles: Select all Client Roles available for the account and realm_management

Why do I need to give admin permissions and realm management to my client API? If I want only to authenticate users (not create or delete), why cannot I just work with the client_secret?

It just looks like I am giving too much power to my API to just authenticate a user o validate a token.

JonasScholl commented 2 years ago

I guess that is only needed if you also want to manage Keycloak resources like users, roles, etc. If you just want to request tokens you don't need those permissions, but this library has lots of other management capabilities.

However, I will further check / verify this and update the documentation to make this clearer, thanks for the question 👍 I would suggest to leave the issue open and link it to the PR until this is done

alexzemlyakov commented 1 year ago

+1, my workaround is class MyFastAPIKeycloak(FastAPIKeycloak): def _get_admin_token(self) -> None: if not self.admin_client_secret == "": super()._get_admin_token() It will crash if I use admin actions, but I won't :)