Keycloak 自动在 master 领域创建领域客户端
Keycloak automatically creates realm client in master realm
我读过很多关于在 Keycloak 中设置领域的教程,但没有任何地方提到 Keycloak 正在 master 领域中创建一个名为 <your-realm-name>-realm 的客户端,角色集:
为什么需要它?
自定义领域是否是 Keycloak 本身的客户端形式,因此它需要创建一种“虚拟”客户端来处理该关系?
这个自动创建的客户端有一组角色,在我看来就像是 Keycloak 内部角色:
我可以在文档的什么地方找到它们?
Is the custom realm a form of a client for a Keycloak itself so it
needs to create a kind of "virtual" client to handle that relation?
有点;来自 Keycloak Documentation itself:
The master realm is a special realm that allows admins to manage more
than one realm on the system. You can also define fine-grained access
to users in different realms to manage the server.
The master realm in Keycloak is a special realm and treated differently than other realms. Users in the Keycloak master realm can be granted permission to manage zero or more realms that are deployed on the Keycloak server. When a realm is created, Keycloak automatically creates various roles that grant fine-grain permissions to access that new realm.
Admin users within the master realm can be granted management privileges to one or more other realms in the system. Each realm in Keycloak is represented by a client in the master realm. The name of the client is [realm name]-realm. These clients each have client-level roles defined which define varying level of access to manage an individual realm.
这只是一个实现细节;尽管如此,在概念上更容易将 master 领域视为金字塔的 top,其次是其客户,其中包括其他客户领域也是如此。此外,它还允许您从主领域的角度管理领域,例如:
以角色的形式向其他领域添加权限。其他方法可能也不错,但 Keycloak 开发人员选择了这种方法。
我读过很多关于在 Keycloak 中设置领域的教程,但没有任何地方提到 Keycloak 正在 master 领域中创建一个名为 <your-realm-name>-realm 的客户端,角色集:
为什么需要它?
自定义领域是否是 Keycloak 本身的客户端形式,因此它需要创建一种“虚拟”客户端来处理该关系?
这个自动创建的客户端有一组角色,在我看来就像是 Keycloak 内部角色:
我可以在文档的什么地方找到它们?
Is the custom realm a form of a client for a Keycloak itself so it needs to create a kind of "virtual" client to handle that relation?
有点;来自 Keycloak Documentation itself:
The master realm is a special realm that allows admins to manage more than one realm on the system. You can also define fine-grained access to users in different realms to manage the server.
The master realm in Keycloak is a special realm and treated differently than other realms. Users in the Keycloak master realm can be granted permission to manage zero or more realms that are deployed on the Keycloak server. When a realm is created, Keycloak automatically creates various roles that grant fine-grain permissions to access that new realm.
Admin users within the master realm can be granted management privileges to one or more other realms in the system. Each realm in Keycloak is represented by a client in the master realm. The name of the client is [realm name]-realm. These clients each have client-level roles defined which define varying level of access to manage an individual realm.
这只是一个实现细节;尽管如此,在概念上更容易将 master 领域视为金字塔的 top,其次是其客户,其中包括其他客户领域也是如此。此外,它还允许您从主领域的角度管理领域,例如:
以角色的形式向其他领域添加权限。其他方法可能也不错,但 Keycloak 开发人员选择了这种方法。