actionbehind/kcadm-cli-wrapper
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Stateless CLI wrapper for Keycloak administration via Docker.
2 commits 1 branch 0 tags 49 KiB
  • Shell 100%
Find a file
Exact
Gordon Luk c8918d4ad9 docs: add ACCESS-CONTROL.md — multi-language access control implementation 
Covers JWT validation, organization extraction, and client-role enforcement in:
- TypeScript/JavaScript (Express middleware + full POS API example)
- Python (FastAPI dependencies + Flask decorators)
- Go (Gin middleware + Chi pattern)
- Rust (Axum extractor with FromRequestParts)
- React (KeycloakProvider + hasRole() pattern + API fetch wrapper)
- DevOps: environment config, Docker Compose, integration tests
2026-05-17 22:04:03 +01:00
examples feat: kcadm_cli.sh wrapper + GUIDE + onboarding examples 2026-05-17 19:13:59 +01:00
.gitignore feat: kcadm_cli.sh wrapper + GUIDE + onboarding examples 2026-05-17 19:13:59 +01:00
ACCESS-CONTROL.md docs: add ACCESS-CONTROL.md — multi-language access control implementation 2026-05-17 22:04:03 +01:00
GUIDE.md feat: kcadm_cli.sh wrapper + GUIDE + onboarding examples 2026-05-17 19:13:59 +01:00
kcadm_cli.sh feat: kcadm_cli.sh wrapper + GUIDE + onboarding examples 2026-05-17 19:13:59 +01:00
README.md docs: add ACCESS-CONTROL.md — multi-language access control implementation 2026-05-17 22:04:03 +01:00

README.md

kcadm-cli-wrapper

Stateless CLI wrapper for Keycloak administration via Docker.

Runs the official kcadm.sh tool in a temporary Docker container with pre-configured authentication — no Java install, no saved sessions, no MFA prompts. Every command is self-contained and idempotent.

Why This Exists

Managing Keycloak from the command line typically requires:

  • Installing Java and downloading the Keycloak server distribution
  • Authenticating with a username/password (blocked by MFA/TOTP)
  • Managing session config files that persist across commands

This wrapper solves all three:

Problem Solution
Java dependency Runs kcadm.sh inside a Docker container — no local Java
MFA blocks automation Authenticates via client credentials (service account), not user/password
Session state management Stateless — auth args passed on every command, no saved config

Quick Start

# 1. Set your client secret (once)
export KEYCLOAK_CLIENT_SECRET="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"

# 2. Make the script executable
chmod +x kcadm_cli.sh

# 3. Use it like kcadm.sh
./kcadm_cli.sh get realms --fields realm
./kcadm_cli.sh create realms -s realm=my-realm -s enabled=true
./kcadm_cli.sh get organizations -r pos-production

Prerequisites

  • Docker installed and running
  • Service account client in Keycloak's master realm with realm-admin role
  • The client secret exported as KEYCLOAK_CLIENT_SECRET

See GUIDE.md for setup instructions and detailed usage.

What's Inside

File Purpose
kcadm_cli.sh The wrapper script — drop it anywhere, chmod +x, use
GUIDE.md Detailed guide: what/why/how/when for realms, organizations, users, roles
ACCESS-CONTROL.md Implementation guide: enforce org + role access in TypeScript, Python, Go, Rust, React
examples/onboard-company.sh End-to-end customer onboarding (org + user + role assignment)
examples/create-roles.sh Batch-create client roles for POS and Accounting systems