14

I understand that keycloak has built-in clients and we add the users later on.

But in general, what is the difference between a client and a user in Keycloak?

Orkun Ozen
  • 6,343
  • 7
  • 46
  • 82

3 Answers3

11

According to the Keycloak documentation

  1. User - Users are entities that are able to log into your system
  2. Client - Clients are entities that can request Keycloak to authenticate a user. Most often, clients are applications and services that want to use Keycloak to secure themselves and provide a single sign-on solution. Clients can also be entities that just want to request identity information or an access token so that they can securely invoke other services on the network that are secured by Keycloak
Santhoopa Jayawardhana
  • 690
  • 4
  • 18
9

In short words, not only for keycloak but for OAuth and OpenId Connect too, a client represents a resource which some users can access. The built-in clients for keycloak represent some resources for keycloak itself.

Xtreme Biker
  • 28,480
  • 12
  • 120
  • 195
  • So can we say if an app has that allows sign-in-via-google is a client and google itself as server ? Can we say each realm is for a new client ? And KeyCloak itself is a OAuth server ? – arpit Aug 04 '18 at 16:04
  • 1
    1. Google would be the identity provider. 2. It depends on how the idp treats the client. 3. Keycloak is an identity provider, it supports openid connect (which is oauth based) and saml authorization protocols. – Xtreme Biker Aug 04 '18 at 16:59
  • @arpit, please, ask a separate question. – Xtreme Biker Aug 04 '18 at 17:57
  • Isn't client a third party application which wants to access a certain resource on behalf of a user(resource owner) once the authorization is provided? – RrR- Nov 19 '18 at 09:20
5

Clients and users are two completely different constructs in keycloak.

In plain English, client is an application. Example for an application could be a e.g. yelp.com or any mobile application. Client can be a simple REST API. Keycloak's built in clients are for keycloak internal use, But any user-defined application has to be registered as a client in keycloak.

Users are the one which authenticate via keycloak to gain access to these applications/clients. Users are stored in keycloak DB or any externally hosted LDAP but synced with keycloak.

raghav
  • 153
  • 1
  • 7