Realm & Clients
In Keycloak, realms represent isolated security domains that manage users, credentials, roles, and groups. Clients are applications or services that use Keycloak for authentication and authorization within these realms.
Realms
There are three realms in total:
mastertumidpldapexternal-login
The tumidpldap realm is used for TUM login and passkey flows. The external-login realm is used for external/social login
flows. The master realm exists in both development and production environments; however, it is only visible to and
managed by AET Admins in production.
info
In production, configured login realms are persistent, and structural changes can only be performed by authorized AET Admins.
Clients
The following clients are used across environments with specific purposes:
tumapply-client: Used by the client for direct authentication with Keycloak, supporting login methods such as Google and TUM login.tumapply-server-client: Used by the server when users log in via email and password. The server exchanges user credentials for a token with Keycloak using this client.tumapply-admin-api: Admin/API service account used by the server for Keycloak Admin API operations and token exchange-based impersonation.- System clients: These include
account,account-console,admin-cli,broker,realm-management,security-admin-console, and others. They serve infrastructure and internal Keycloak functions necessary for managing accounts, administration, and security.