Keycloak: Client in non-master realm gets 403 Forbidden when using User Search API
I have a non-master realm in my Keycloak instance which is called camunda-platform (it is deployed with the official Docker Compose configuration file of Camunda 8 Self-Managed).
I want to use the Keycloak API to search for the users in camunda-platform realm. When I use the access token that I have got with my client in the master realm, I can list the users. But when I use the access token that I have received from a client that is created in the camunda-platform (non-master) realm, it doesn't work and I get a 403 Forbidden. Here's the cURL request:
curl --location '<keycloak_base_url>/auth/admin/realms/camunda-platform/users' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Bearer <my_token>' \
--data ''
I am sure the endpoint is correct. I am also sure that the token is not expired. Here's the capability config which is presumably correct:
Service accounts roles and Client authentication are both enabled and I have literally assigned every single possible role (including realm-admin, manage-users and view-users) to my client. But still, I cannot search for the users. The weird thing is, I can use other API calls such as fetching variables, form schemas and process definitions with the same token. Do you have any ideas?
I found the problem. I had to assign the necessary roles to the user as well as the client. I thought it was enough to assign the roles to the client and get the token but I also had to make sure the user has the necessary permissions. I close this as solved.
- Export users and roles from Keycloak
- Keycloak: Client in non-master realm gets 403 Forbidden when using User Search API
- How to enable Terms and conditions in keycloak with kcadmin?
- Properties are not passed to docker-compose
- How to set Directus with Keycloak SSO Config?
- Keycloak move from 23.0 to 24.0: Account is not fully set up [invalid_grant]
- Keycloak HA: distributed cache check
- Access user info from SecurityIdentity using quarkus-oidc
- ASP.NET Core 8 + Keycloak: Role-based Authorization for Derived Controllers without Code Duplication
- Keykloack docker enable features
- How to map a user attribute to a standard OIDC claim in keycloak
- Clojure http classic web app don´t get access token on SSO authentication
- Authenticate FastAPI with clientid/clientsecret
- Keycloak 18 in Gitlab Service sometimes does not load realm (without error)
- Disabling authenticator, sessions, applications, log and my resources options from the Account Management Console in KeyCloak
- Mapping user groups to JWT in keycloak maps realm roles instead
- Is it possible to disable HTTP for a Keycloak instance in Azure Container Apps?
- Keycloak, not returning access token if update password action selected
- Proper design for th Keycloak auth with APIs and UI
- Keycloak-js updateToken(minValidity) needs clarifications
- "Correlation failed." after upgrading 'Microsoft.IdentityModel.JsonWebTokens' and 'System.IdentityModel.Tokens.Jwt'
- StackOverflow with Keycloak as login provider returns empty email address
- Redirect from java app in docker container to the keyCloak
- How can I know the Keycloak version?
- Using a Database as Provider for Keycloak Application Realm
- Keycloak Custom Registration Flow Fails with "KC-SERVICES0013: Failed authentication: java.lang.NullPointerException" Error
- Role based authorization using Keycloak and .NET core
- Globally disable https keycloak
- Use Keycloak Spring Adapter with Spring Boot 3
- KeyCloak Login leads to infinite loop