Keycloak API works for admin-CLI client only

Question

I'm trying to get a list of users by a specific role using but I get a 403 forbidden error using a custom-client generated access token

GET: http://localhost:8080/admin/realms/{realm}/clients/8cf0e750-6805-46e9-a9b9-a33b1340b175/roles/{role}/users

The strange thing is when I use an access token generated by the keycloak API (client_id: admin-CLI), with the same user credentials (POST: http://localhost:8080/realms/{realm}/protocol/openid-connect/token) to get the list of users, it works!

The decoded JWT token structure is a bit different but I want to understand why the token generated for the admin-CLI client works and the one generated for my custom client doesn't.

@shAkur Did you find a solution for this problem? Thank you! — Gerhard Powell, Jun 10 '23 at 05:33

score 1 · Answer 1 · answered Feb 24 '23 at 14:19

1

It is not related 'admin-cli' client. It depends on user has a view-users role of realm-managemet client or Not.

That role can get the user list.

Demo user1 get token with other client(my-test), can get the user list.

He can get user list without admin-cli

How to know a user can get user list?

This API can see the realm-management role mapping lists

GET {Keycloak URL}auth/admin/realms/test/users/{user-uuid}/role-mappings

if a user has manage-user role, she can do update/delete/create user.

Same idea, view-client role, can get the client list.

answered Feb 24 '23 at 14:19

Bench Vue

5,257
2
10
14

This did not work for me. @shAkur Did you find a solution for this problem? Thank you! – Gerhard Powell Jun 10 '23 at 00:55
@GerhardPowell, Keycloak V20 or high version needs to remove `/auth` path in API URL. Example New version GET {Keycloak URL}/admin/realms/test/users/{user-uuid}/role-mappings Old version GET {Keycloak URL}/auth/admin/realms/test/users/{user-uuid}/role-mappings – Bench Vue Jun 10 '23 at 01:50

Keycloak API works for admin-CLI client only

1 Answers1

Linked