2

Which roles / configuration are needed for a user that is not in the master realm to effectively use the Keycloak 15 Admin REST API?

We are successfully using an account that is assigned the realm-admin role in the realm-management client to get a token for the admin-cli client.

This still works.

I can not recall for how long, but after the migration from KC 14 to KC 15 we now experience 403 Errors when trying to call admin cli endpoints like:

/auth/admin/realms/${realm}/users/${userID}/role-mappings/clients/${appClientUUID}
/auth/admin/realms/${realm}/users/${userid}

etc.

If it would throw 401s I would know that it is at least a credential problem, but the token endpoint does push out an access token:

{
  "alg": "RS256",
  "typ": "JWT",
  "kid": "{kid}"
}.{
  "exp": 1635328475,
  "iat": 1635328175,
  "jti": "b621421d-ad69-4ddf-bedb-2c0d5da360cd",
  "iss": "{keycloak URL}",
  "sub": "{subvalue}",
  "typ": "Bearer",
  "azp": "admin-cli",
  "session_state": "{uuid}",
  "acr": "1",
  "scope": "openid email profile",
  "sid": "986dce48-2ef2-49e5-9152-4e54396ff2a4",
  "email_verified": true,
  "name": "-",
  "preferred_username": "-",
  "given_name": "-",
  "family_name": "-",
  "email": "-"
}.[Signature]

What surprises me is the case that there seem to be no roles contained in the token.

Does anyone have a clue what might have gone wrong / has been misconfigured for KC 15 regarding the Admin Rest API?

damnedOperator
  • 208
  • 2
  • 13
  • 1
    Plesae double check if your user has really the `realm-admin` role for the `realm-management` client in the realm that you are trying to access via the REST API. I just doubled checked an everything works fine with version 15.0.2. Keycloak know which roles a users has from its database. No need to encode them into the token in this case. – sventorben Oct 27 '21 at 17:11
  • I double checked again and the user we try to auth really has the `realm-admin` role assinged to it. – damnedOperator Oct 28 '21 at 08:50
  • *doh* Thank you for your help. I should have double checked which Protocol I was using. Sometimes these mistakes happen... – damnedOperator Oct 28 '21 at 08:56

1 Answers1

3

Turns out the only problem here was the protocol I specified when making the request. Sometimes schoolboy errors happen.

For those who turn up here googling the same thing: Check if your user has the role of realm-admin in the client realm-management assigned. Everything else is handled internally by Keycloak.

damnedOperator
  • 208
  • 2
  • 13