3

I have a spring boot application which use keycloak for user management. But the keycloak instance is a production one and I don't have admin credentials. I following keycloak realm information.

#Keycloak settings
keycloak.auth-server-url=https://myapp.com/auth/
keycloak.realm=project-realm
keycloak.resource=project-client
keycloak.credentials.secret=secret
keycloak.use-resource-role-mappings=true
keycloak.bearer-only=true
keycloak.ssl-required=external
auth.token.url=https://myapp.com/auth/realms/my-realm/protocol/openid-connect/token
auth.grant.type=client_credentials

When I try do perform user management operations using keycloak rest api I get 403 Forbidden response. Here the authorization token is generated using above realm credentials.

method: POST 
url:https://myapp.com/auth/realms/project-realm/protocol/openid-connect/token
contentType: application/x-www-form-urlencoded
body:
client_id: project-client
grant_type: client_credentials
client_secret: secret

But when I use a local keycloak instance and generate authorization token using admin credentials this works fine.

method: POST 
url:http://localhost:8180/auth/realms/master/protocol/openid-connect/token
contentType: application/x-www-form-urlencoded
body:
client_id: admin-cli
grant_type: password
username: admin
password: admin

What I need to know is do I need admin credentials (username, password) to perform these user management operation using Keycloak rest api? Or am I doing something wrong?

dreamcrash
  • 47,137
  • 25
  • 94
  • 117
Ruchira Nawarathna
  • 1,137
  • 17
  • 30

1 Answers1

3

When I try do perform user management operations using keycloak rest api I get 403 Forbidden response. Here the authorization token is generated using above realm credentials.

This happens because

method: POST 
url:https://myapp.com/auth/realms/project-realm/protocol/openid-connect/token
contentType: application/x-www-form-urlencoded
body:
client_id: project-client
grant_type: client_credentials
client_secret: secret

your client project-client does not have the proper admin-related roles to perform the Admin Rest API calls.

What I need to know is do I need admin credentials (username, password) to perform these user management operation using keyclaok rest api? Or am I doing something wrong?

No. You can perform those same tasks with another user or client as long as they have the appropriate roles. To fix your problem you can do the following:

  • Go to the realm where the client project-client is;
  • Go to Clients and select the client project-client;
  • Switch to the tab Service Account Roles;
  • In the Client Roles dropdown menu select realm-management;
  • Select and assign the roles accordingly:

enter image description here

dreamcrash
  • 47,137
  • 25
  • 94
  • 117