Keycloak - manage realm data from server side application

I have a Spring Boot REST API that uses keycloak for authentication.

I have the need to handle certain realm actions (e.g. user creation) without giving the current user the "manage-user" role of the "realm-management" client.

I kinda solved this by adding a special user to the realm, and giving him the correct role. Everytime I want to do an user-related task, I log with this special user and use him to perform the action (I had to change my client type from "bearer only" to "confidential" for this to work).

I was wondering if there are better solutions that I can adopt to solve this problem.

In Keycloak, declare a client with Client authentication and Service accounts roles enabled. Also allow this client to perform the Keycloak API calls you want.

Then declare a client registration with client_credentials in your Spring configuration:

spring:
  security:
    oauth2:
      client:
        provider:
          keycloak:
            issuer-uri: https://localhost:8443/realms/master
        registration:
          robot:
            authorization-grant-type: client_credentials
            client-id: my-client-with-client-credentials
            client-secret: change-me
            provider: keycloak
            scope:
            - openid
            - profile
            - offline_access

Refer to your REST client documentation to authorize its requests with access-tokens from the OAuth2AuthorizedClientRepository (using your new client-id).

For WebClient in servlet environments, it is documented there.