How to use client to post the realm role in Keycloak?

Question

I have created a client in keycloak and configure it access type to "confidential".

I can use REST API protocol/openid-connect/token with clientId and client secret to get the access token for this this client.

In my design, there is a use case that I need to use the client access token to post a role in its Realm (the role needs to belong to realm, not this client). Then I can see the post request is denied. I have configured the scope of this client to full scope but it doesn't help.

Any idea whether this is possible? If yes, what configs I need for this client?

Answer 1

Try the following:

(OLD Keycloak UI)

1. To go your Realm > Clients and select your client;
2. Switch Service Accounts Enabled to ON, and click [SAVE];
3. Switch to Service Accounts Roles tab;
4. From the Client Roles dropdown menu select the realm-management client
5. Select realm-admin, and click Add Selected and tried it out.

(New Keycloak UI)

1. Select your Realm then go to Clients and select your client;
2. In Authentication flow select Service accounts roles and click [SAVE];
3. Switch to Service Accounts Roles tab;
4. Click on Assign Role
5. On the Search by role name search for the role name 'realm-admin', then select it and click on Assign