16

I am trying to access the create a user in the keycloak programmatically. But I am getting 403 as a status code. I am following the below link.

https://technology.first8.nl/programmatically-adding-users-in-keycloak/

Can anyone help me? Thanks In advance

I have using the following code to create user 

Keycloak kc = Keycloak.getInstance(
                     "http://{server name}:8080/auth",
                     "{realm name}", // the realm to log in to
                     "{useraname}", 
                     "{password}",  // the user
                     "{client id}",
                     "{client secret key}");

            CredentialRepresentation credential = new CredentialRepresentation();
            credential.setType(CredentialRepresentation.PASSWORD);
            credential.setValue("test123");
            UserRepresentation user = new UserRepresentation();
            user.setUsername("codeuser");
            user.setFirstName("sampleuser1");
            user.setLastName("password");

            user.setCredentials(Arrays.asList(credential));
            user.setEnabled(true);
            Response result = kc.realm("{realm name}").users().create(user);

response.status is coming as 403

Programmer
  • 657
  • 4
  • 9
  • 21

4 Answers4

34

I faced the same issue. This is how i fixed it.

  1. Create a role that has at least a realm-management role of manage-users enter image description here

enter image description here

UI update for server 9.0.2 UI update for server 9.0.2

  1. Go to your client's Scope tab and add the role to your Realm Roles enter image description here
niinyarko
  • 466
  • 6
  • 11
  • This works for me with KC server 3.4.0.Final and the same version of admin client; fwiw the Gradle stanza I have is `compile group: 'org.keycloak', name: 'keycloak-admin-client', version: '3.4.0.Final'` –  Jan 24 '19 at 09:43
  • https://stackoverflow.com/questions/60359979/keycloak-admin-rest-api-unknown-error-for-update-user-api explained better. – Lakmal Vithanage Jul 26 '22 at 12:39
6

I faced the same issue with KeyCloak 9.0.3. What finally worked for me was:

  1. Use the admin-cli client with client credentials on the target realm (where I am trying to create the user)
curl \
  -d "client_id=admin-cli\
  -d "client_secret=<YOUR_CLIENT_SECRET>" \
  -d "grant_type=client_credentials" \
  "http://localhost:8080/auth/realms/myrealm/protocol/openid-connect/token"

I am not sure why, but using the admin client on the master realm simply did not work for me.

  1. Set up the admin-cli client in the target realm with the role as mentioned in the correct answer above.

  2. In addition to adding the new role to Scope, I also had to add the role to Service Account Roles.

BTW client credentials access token is not even mentioned as an option in the Admin Rest API docs for Keycloak 9.0.3, but it does work.

crimson_sails
  • 197
  • 3
  • 8
4

If you are not using admin user from master realm.

You need to assign proper roles like manage-users role from realm-management client for the user which you are using to get instance the instance of Keycloak.

Adding realm-management roles to the user

ravthiru
  • 8,878
  • 2
  • 43
  • 52
  • I have assigned the roles as shown above still I am getting the status as forbidden – Programmer Mar 28 '18 at 05:07
  • Can you find the error message using ErrorRepresentation error = response.readEntity(ErrorRepresentation.class); error.getErrorMessage() – ravthiru Mar 28 '18 at 05:31
  • RESTEASY003145: Unable to find a MessageBodyReader of content-type */* and type class org.keycloak.representations.idm.ErrorRepresentation this exception occurs when I add the above line of code – Programmer Mar 28 '18 at 05:55
  • You need to have resteasy-jackson2-provider jar in your dependency – ravthiru Apr 03 '18 at 08:03
3

If you use Service Accounts to authenticate, you need to add roles of precedent answer in the tab Service Accounts Roles

Like below KeyCloak Client Admin Cli Service Account Tab

ValentinG
  • 106
  • 1
  • 3