13

I create token using http://localhost:8080/auth/realms/{realm_name}/protocol/openid-connect/token endpoint.

grant_type=client_credentials
client-id: ------------
client-secret: 78296d38-cc82-4010-a817-65c283484e51

Now I want to get users of realm. Then I send request to http://localhost:8080/auth/admin/realms/{realm_name}/users?username=demo endpoint with token. But I got 403 forbidden response with "error": "unknown_error". How to solve it?

Andrii Abramov
  • 10,019
  • 9
  • 74
  • 96
Azhagesan
  • 217
  • 1
  • 2
  • 12

5 Answers5

41

The service account associated with your client needs to be allowed to view the realm users.

  1. Go to http://localhost:8080/auth/admin/{realm_name}/console/#/realms/{realm_name}/clients

  2. Select your client (which must be a confidential client)

  3. In the settings tab, switch Service Account Enabled to ON

  4. Click on save, the Service Account Roles tab will appear

  5. In Client Roles, select realm_management

  6. Scroll through available roles until you can select view_users

  7. Click on Add selected

You should have something like this :

enter image description here

You client is now allowed to access users through the REST API.

Lucas Declercq
  • 1,534
  • 11
  • 17
  • Hi. After setting Client Roles,403 Forbidden is resolved. Thanks. – Azhagesan Mar 08 '21 at 04:33
  • 1
    Was this changed in Keycloak 17? The `Service Account Enabled` is not showing on my screen. – ash Mar 28 '22 at 22:31
  • I needed to add `view-users` role to the user: Users -> -> Role Mappings -> Client Roles -> realm-management -> `view-users` -> `[Add Selected >>]` – ash Mar 29 '22 at 15:43
  • 1
    @ash to display it you need to set the Access Type of your client to "confidential" – Max R. May 10 '22 at 23:01
  • Lucas's answer didn't help me. only after adding to the user the "view-users" role (as ash suggested) the problem was fixed – Dardar May 23 '22 at 12:13
  • I didn't investigate why, but I added all the roles of realm-management for my case to play ok. Thanks. – LovaBill Jun 09 '22 at 13:22
  • 1
    even after adding all roles I'm still getting the 403 error. Any clue? PS. I have Service Account enabled, and it is log in without issues. – Kostanos Aug 07 '22 at 15:51
  • @Kostanos Did you resolve it? I end up into similar issue – Nitheesram Rajes Jan 31 '23 at 16:54
  • Hey, I did resolve, but I don't remember how. Make sure you that JWT token has roles inside, I think it was the problem, but I don't remember, sorry. – Kostanos Feb 13 '23 at 20:29
  • This article is exactly what I needed, however I had remapped my roles and that interfered with Keycloak recognizing them. Make sure your roles are in your JWT like: `"resource_access": { "realm-management": { "roles": [ "view-identity-providers", "view-realm", ` This can be done by Client Scopes > Roles > Mappers: - Client Role = resource_access.${client_id}.roles - Realm Roles = realm_access.roles – Curtis Boyden Feb 17 '23 at 17:00
  • Thanks, It works fine. also, you can make a group for associated users and then apply those changes on the group. – Amr Abdalrahman Ahmed Jun 16 '23 at 14:38
4

You need to assign a target realm-management role for your custom user. E.g. Keycloak version 19.02 to assign any realm-management role such as manage-users, manage-clients or realm-admin, you must follow these steps:

  1. create a new user
  2. Navigate to user details and open the Role Mapping tab.
  3. click the Assign role button
  4. select Filter by clients
  5. you will see the first 10 results, click ">" to see the next 10 results, etc., or use the search box
  6. select one target role

Filter by client, realm-management roles

Dzmitry Harlach
  • 41
  • 2
3

to create(add) user

send POST request to:

http://localhost:8180/admin/realms/YOUR_REALM_NAME/users

with this body sample:

{
"firstName":"Amir",
"lastName":"Sharafkar", "email":"amirh.sharafkar@gmail.com", "enabled":"true", 
"username":"sharafkar", 
"credentials":[{
"type":"password",
"value":"1234",
"temporary":false
}]}

to get all users

send GET request to:

http://localhost:8180/admin/realms/YOUR_REALM_NAME/users

with "Authorization" key header with value: Bearer {YOUR_TOKEN}

to get individual user

send GET request to:

http://localhost:8180/admin/realms/YOUR_REALM_NAME/users/{id}

with "Authorization" key header with value: Bearer {YOUR_TOKEN}

DO NOT FORGET - Keycloak "version: 20.0.2"

assign role to your client with this steps:

  1. Click Assign role button

Click Assign role button

  1. Select Filter by clients

Select Filter by clients

  1. and finally add "manage-users" role to your client

and finally add "manage-users" role to your client

Amir Sharafkar
  • 61
  • 2
  • Jizz! `2. Select Filter by clients` - that was I was looking for so long today. Thank you! **Why they hide it so deep!?** – MrHIDEn Mar 23 '23 at 18:23
2

  • Login to your Keycloak admin console and navigate to the "Client Scopes" section.

  • Click the "Create" button to create a new client scope “openid“ as
    default.

  • then go to your realm client select client scopes tab.

  • then add the openid scope.

enter image description here

Mohamed Fayek Saber
  • 61
  • 6
  • The reason why this worked, is most likely because you were using an example that had `scope=openid` in the URL at some point. This should not be needed in most scenarios unless you explicitly want to divide up scopes. – Torxed Apr 22 '23 at 17:12
1

I ran into the same issue with the quarkus-Version 18.0.2:

  • a client "tmp" identical configured like "admin-cli" (only different name)
  • all roles of "realm-management" assigned to the generated service-user
  • using a client-credential-Token of "tmp" for the user-Search-Endpoint (/auth/admin/realms/b2c/users/) leads to 403
  • using a manually created user works well (password-credential-type)
  • using the "admin-cli" client to get the client-credential-Token works well, too

I found this: "client_id is a confidential client that belongs to the realm master" here: https://github.com/keycloak/keycloak-documentation/blob/main/server_development/topics/admin-rest-api.adoc

I don't know why this restriction was introduced, but when you fetch your token from master (/auth/realms/master/protocol/openid-connect/token), then you are allowed to use a custom client and everything is fine.

CNC-Parade
  • 31
  • 4