API Clients
An API client is an external software component that can interact with MTG Certificate Lifecycle Manager Server via its programmatic interface. It resembles an RA Operator, in that it can perform actions like create an end entity, issue and revoke a certificate but it has no user credentials to access the MTG Certificate Lifecycle Manager Server UI.
An example for such an API client, is the connection of MTG Certificate Lifecycle Manager Server with other MTG products like the MTG ACME server. In this connection scenario, the MTG ACME server takes up the role of an API client and is able to issue and revoke certificates according to the ACME protocol.
API Clients are not directly bound to realm and can exist independently. In spite of this, a realm must be assigned to an API client by a RA Operator with access to that realm in order for the API client to undertake actions within that realm. API clients are mapped to Keycloak clients. As a result, all administration operations for API clients can also be executed through the Keycloak administration console. More details about Keycloak client administration are provided in the following link www.keycloak.org/docs/latest/server_admin/index.html#_oidc_clients.
1. View API Clients
Available API clients can be viewed in the Administration / API Clients / Show page or via the Keycloak administration console. One can also search the available API clients, either by their exact API client ID or by a subsequence of characters contained in client’s client ID or name.
2. Create API Client
In the Administration / API Clients / Create page,
there is a top section that allows the creation of new API clients by choosing a name,
the assigned realms and a default policy to be used with this API client, when no policy is provided in API calls.
An alternative way of API client’s creation is via the Keycloak administration console.
In the second step of Create client procedure, the Client Authentication must be activated and
the Service accounts roles from Authentication flow must be selected.
Clients created from the Keycloak administration console can be triggered manually to be imported through
the Administration / API Clients/ Sync button or automatically while searching.
The API client secret acts as the API client’s credentials and becomes visible after the creation. Together with the API Client ID, they are required to use and authenticate an API client.