Why admin_client_secret?

[cpatrickalves]

First, thanks for this great project.

I have a question:

In docs you metion:

Modify the admin-cli client

Settings: Service Accounts Enabled Scope: Full Scope Allowed Service Account Roles: Select all Client Roles available for the account and realm_management

Why do I need to give admin permissions and realm management to my client API? If I want only to authenticate users (not create or delete), why cannot I just work with the client_secret?

It just looks like I am giving too much power to my API to just authenticate a user o validate a token.

[JonasScholl]

I guess that is only needed if you also want to manage Keycloak resources like users, roles, etc. If you just want to request tokens you don't need those permissions, but this library has lots of other management capabilities.

However, I will further check / verify this and update the documentation to make this clearer, thanks for the question 👍 I would suggest to leave the issue open and link it to the PR until this is done

[alexzemlyakov]

+1, my workaround is class MyFastAPIKeycloak(FastAPIKeycloak): def _get_admin_token(self) -> None: if not self.admin_client_secret == "": super()._get_admin_token() It will crash if I use admin actions, but I won't :)