Authenticated using a staff role, I'm trying to get a list of users having a dealer role using the following method:
GET: admin/realms/{realm}/clients/8cf0e750-6807-46e9-a9b3-a33b1340b175/roles/{role}/users
Unfortunately I'm encountering a 403 forbidden response, "error": "unknown_error". I googled a bit but now I'm more confused. These roles are defined at a realm-level but I've created additional roles at a client level. I've enabled service account roles at client level, assigned both client roles (dealer and staff) and view-users & manage-users from realm-management scope level but without success.
What changes do I need to make in order to achieve my goal?
You are using the clients API so you need to add the manage-clients role in your user.
Edit:
To use the service account you need to authenticate with the client id and token.
curl --location --request POST 'http://localhost:8080/realms/HUB/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=my-client' \
--data-urlencode 'client_secret=my-client-secret' \
--data-urlencode 'grant_type=client_credentials'
Then you can use this token to make your API calls. Make sure that the service account has the required roles assigned.
This is my call to get the role users:
curl --location --request GET 'http://localhost:8080/admin/realms/HUB/clients/4eaeb1d8-3dd9-4e8d-a352-a71574dfdff1/roles/api-user/users' \
--header 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJGUlJlRFdDV0FhY3QzOVRIYlFrOHpueEM2TS1YS2xrQ0Y3WWtOY2w4cmJzIn0.eyJleHAiOjE2NzcwNjQ2MDksImlhdCI6MTY3NzA2NDMwOSwianRpIjoiM2RjNWFjYTctMzcxZi00MjEwLWFkNDAtNWU2MWRjYzhmZjQxIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy9IVUIiLCJhdWQiOiJyZWFsbS1tYW5hZ2VtZW50Iiwic3ViIjoiNmM3Y2NjODYtODI4ZS00NjMzLWFlNTYtOGZkNDc5MWZlMjI4IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiaHViLWFwaSIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiKiJdLCJyZXNvdXJjZV9hY2Nlc3MiOnsicmVhbG0tbWFuYWdlbWVudCI6eyJyb2xlcyI6WyJtYW5hZ2UtdXNlcnMiLCJtYW5hZ2UtY2xpZW50cyJdfSwiaHViLWFwaSI6eyJyb2xlcyI6WyJhcGktdXNlciJdfX0sInNjb3BlIjoiZW1haWwgcHJvZmlsZSIsImNsaWVudEhvc3QiOiIxNzIuMTkuMC4xIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJjbGllbnRJZCI6Imh1Yi1hcGkiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJzZXJ2aWNlLWFjY291bnQtaHViLWFwaSIsImNsaWVudEFkZHJlc3MiOiIxNzIuMTkuMC4xIn0.DdWOpa5wtIDYNy422AF5S6k-8DWnOB1PG-4olQ1DcV6TjLX-WZRiuoaHFGqCMqDkMhpVyu_xUv0QkmdgM73-rFvDw_DwagFYqA_OW4zMqk4Lp4nf46bKlAYBajZmFVwbEgfjoIgDup3oPjYi2BOKrinMtNzfrSpcKuIlqjc_aEH9dSApqYEcqVewk5AYfkIFO1B84utdt27XIvHFvg_JqS3sOMkS3qtUT1wHrLPQ8GfSIoBDvRVde6kYt3UvbRkV6yeqtoNwYj-Kwsr-FHgdCRfZbzTqYQGYb-9RQovfAciucg4uph7Zqm7xBeQXmTXVm1GaAL6kniU2KFSR7BwRWQ' \
--data-raw ''