Keycloak - understanding client roles and realm roles

Question

Authenticated using a staff role, I'm trying to get a list of users having a dealer role using the following method:

GET: admin/realms/{realm}/clients/8cf0e750-6807-46e9-a9b3-a33b1340b175/roles/{role}/users

Unfortunately I'm encountering a 403 forbidden response, "error": "unknown_error". I googled a bit but now I'm more confused. These roles are defined at a realm-level but I've created additional roles at a client level. I've enabled service account roles at client level, assigned both client roles (dealer and staff) and view-users & manage-users from realm-management scope level but without success.

What changes do I need to make in order to achieve my goal?

Hairy Chip · Accepted Answer · 2023-02-22T11:12:55.860

0

You are using the clients API so you need to add the manage-clients role in your user.

Edit:

To use the service account you need to authenticate with the client id and token.

curl --location --request POST 'http://localhost:8080/realms/HUB/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=my-client' \
--data-urlencode 'client_secret=my-client-secret' \
--data-urlencode 'grant_type=client_credentials'

Then you can use this token to make your API calls. Make sure that the service account has the required roles assigned.

This is my call to get the role users:

curl --location --request GET 'http://localhost:8080/admin/realms/HUB/clients/4eaeb1d8-3dd9-4e8d-a352-a71574dfdff1/roles/api-user/users' \
--header 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJGUlJlRFdDV0FhY3QzOVRIYlFrOHpueEM2TS1YS2xrQ0Y3WWtOY2w4cmJzIn0.eyJleHAiOjE2NzcwNjQ2MDksImlhdCI6MTY3NzA2NDMwOSwianRpIjoiM2RjNWFjYTctMzcxZi00MjEwLWFkNDAtNWU2MWRjYzhmZjQxIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy9IVUIiLCJhdWQiOiJyZWFsbS1tYW5hZ2VtZW50Iiwic3ViIjoiNmM3Y2NjODYtODI4ZS00NjMzLWFlNTYtOGZkNDc5MWZlMjI4IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiaHViLWFwaSIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiKiJdLCJyZXNvdXJjZV9hY2Nlc3MiOnsicmVhbG0tbWFuYWdlbWVudCI6eyJyb2xlcyI6WyJtYW5hZ2UtdXNlcnMiLCJtYW5hZ2UtY2xpZW50cyJdfSwiaHViLWFwaSI6eyJyb2xlcyI6WyJhcGktdXNlciJdfX0sInNjb3BlIjoiZW1haWwgcHJvZmlsZSIsImNsaWVudEhvc3QiOiIxNzIuMTkuMC4xIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJjbGllbnRJZCI6Imh1Yi1hcGkiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJzZXJ2aWNlLWFjY291bnQtaHViLWFwaSIsImNsaWVudEFkZHJlc3MiOiIxNzIuMTkuMC4xIn0.DdWOpa5wtIDYNy422AF5S6k-8DWnOB1PG-4olQ1DcV6TjLX-WZRiuoaHFGqCMqDkMhpVyu_xUv0QkmdgM73-rFvDw_DwagFYqA_OW4zMqk4Lp4nf46bKlAYBajZmFVwbEgfjoIgDup3oPjYi2BOKrinMtNzfrSpcKuIlqjc_aEH9dSApqYEcqVewk5AYfkIFO1B84utdt27XIvHFvg_JqS3sOMkS3qtUT1wHrLPQ8GfSIoBDvRVde6kYt3UvbRkV6yeqtoNwYj-Kwsr-FHgdCRfZbzTqYQGYb-9RQovfAciucg4uph7Zqm7xBeQXmTXVm1GaAL6kniU2KFSR7BwRWQ' \
--data-raw ''

edited Feb 22 '23 at 11:12

answered Feb 21 '23 at 15:13

Hairy Chip

88
1
9

Even doing so, I get 403 status code, `{"error": "unknown_error"}`. But when I try with an admin user access token, it works. How can I make it work using an access token of a `{realm}` user? – shAkur Feb 22 '23 at 07:22
You can enable the service account on a client. For that you need to enable in the client settings the "authorization" toggle. Then you will see a new tab "credentials" Afterwards you can login using the client id and token to get the JWT of the client service account and use this JWT to make the calls you need. Dont forget to add the roles to the service account.There is a "Service accounts roles" tab in the client. – Hairy Chip Feb 22 '23 at 10:33
I already toggled "authorization" option and set credentials. I even put all realm-management roles to the service account roles tab but without success. Please check out my other question: https://stackoverflow.com/questions/75530205/keycloak-api-works-for-admin-cli-client-only – shAkur Feb 22 '23 at 10:40
are you authenticating using the client id and secret? – Hairy Chip Feb 22 '23 at 10:46
yeah, I'm able to get the access token using client id and secret but also using "password" as grant_type. The problem is that using this token received further to make the second call (getting users with a specific role) returns 403 – shAkur Feb 22 '23 at 10:48
sounds like some role is missing in the service account... just tested it and works fine for me. Which keycloak version are you using? – Hairy Chip Feb 22 '23 at 10:51
I have added every client role available in the service account but without success. Using keycloak 20.0.2. My user only has realm-management - manage clients role and just with that, it works using admin-cli client, but it doesn't if I put that role on the service-accounts-role – shAkur Feb 22 '23 at 10:53
Do you have in your client config, the client authentication, Authorization and Direct access grants enable? – Hairy Chip Feb 22 '23 at 10:55
Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/252042/discussion-between-shakur-and-hairy-chip). – shAkur Feb 22 '23 at 10:57

Keycloak - understanding client roles and realm roles

1 Answers1