Keycloak Admin CLI Cheat Sheet

This document provides some examples about how to use kcadm to manage a realm's configuration.

Configuring Token Exchange Permission for a Client

Enable permissions to a client

./kcadm.sh update clients/{client_id}/management/permissions -f - << EOF 
    {"enabled": true} 
EOF

Enable Permissions to a client

./kcadm.sh update clients/{client_id}/management/permissions -f - << EOF 
    {"enabled": true} 
EOF

Get the id of the realm-management client so that you can manage permissions

./kcadm.sh get clients | jq '.[] | select(.clientId == "realm-management") | .id'

Create the token-exchange permission

./kcadm.sh create clients/{realm_management_client_id}/authz/resource-server/permission/scope -f - << EOF 
    {
        "name":"token-exchange.permission.client.{client_id}",
        "type":"scope",
        "resources":["client.resource.{client_id}"],
        "scopes":["token-exchange"],"policies":[]
    }
EOF

Get the token-exchange permission id for a client

./kcadm.sh get clients/{realm_management_client_id}/authz/resource-server/permission | jq '.[] | select(.name == "token-exchange.permission.client.{client_id}") | .id'

Update the token-exchnge permission

./kcadm.sh update clients/{realm_management_client_id}/authz/resource-server/permission/scope/{permission_id} -f - << EOF 
    {
        "name":"token-exchange.permission.client.{client_id}",
        "type":"scope",
        "logic":"POSITIVE",
        "decisionStrategy":"AFFIRMATIVE",
        "description":"teste",
        "resources":["client.resource.{client_id}"],
        "scopes":["token-exchange"],"policies":[]
    }
EOF

Delete the token-exchange permission

./kcadm.sh delete clients/{realm_management_client_id}/authz/resource-server/permission/scope/{permission_id}

Managing Client Policies

Create a Client Policy

./kcadm.sh create clients/{realm_management_client_id}/authz/resource-server/policy/client -f - << EOF 
    {
        "name":"My Client Policy",
        "type":"client",
        "clients":["admin"]
    }
EOF

Get the policy id

./kcadm.sh get clients/{realm_management_client_id}/authz/resource-server/policy/client | jq '.[] | select(.name == "My Client Policy") | .id'

Update the policy

./kcadm.sh update clients/{realm_management_client_id}/authz/resource-server/policy/client/{policy_id} -f - << EOF 
    {
        "name":"My Client Policy",
        "type":"client",
        "clients":["account"]
    }
EOF

Delete the policy

./kcadm.sh delete clients/{realm_management_client_id}/authz/resource-server/policy/client/{policy_id}

pedroigor/kc_admin_cli_cheat_sheet.md

Keycloak Admin CLI Cheat Sheet

Configuring Token Exchange Permission for a Client

Enable permissions to a client

Enable Permissions to a client

Get the id of the realm-management client so that you can manage permissions

Create the token-exchange permission

Get the token-exchange permission id for a client

Update the token-exchnge permission

Delete the token-exchange permission

Managing Client Policies

Create a Client Policy

Get the policy id

Update the policy

Delete the policy