keycloakadministrationkeycloak-rest-apiidentity-management

Which roles enable a user in a Keycloak Realm to use the Admin-REST-API?


Which roles / configuration are needed for a user that is not in the master realm to effectively use the Keycloak 15 Admin REST API?

We are successfully using an account that is assigned the realm-admin role in the realm-management client to get a token for the admin-cli client.

This still works.

I can not recall for how long, but after the migration from KC 14 to KC 15 we now experience 403 Errors when trying to call admin cli endpoints like:

/auth/admin/realms/${realm}/users/${userID}/role-mappings/clients/${appClientUUID}
/auth/admin/realms/${realm}/users/${userid}

etc.

If it would throw 401s I would know that it is at least a credential problem, but the token endpoint does push out an access token:

{
  "alg": "RS256",
  "typ": "JWT",
  "kid": "{kid}"
}.{
  "exp": 1635328475,
  "iat": 1635328175,
  "jti": "b621421d-ad69-4ddf-bedb-2c0d5da360cd",
  "iss": "{keycloak URL}",
  "sub": "{subvalue}",
  "typ": "Bearer",
  "azp": "admin-cli",
  "session_state": "{uuid}",
  "acr": "1",
  "scope": "openid email profile",
  "sid": "986dce48-2ef2-49e5-9152-4e54396ff2a4",
  "email_verified": true,
  "name": "-",
  "preferred_username": "-",
  "given_name": "-",
  "family_name": "-",
  "email": "-"
}.[Signature]

What surprises me is the case that there seem to be no roles contained in the token.

Does anyone have a clue what might have gone wrong / has been misconfigured for KC 15 regarding the Admin Rest API?


Solution

  • Turns out the only problem here was the protocol I specified when making the request. Sometimes schoolboy errors happen.

    For those who turn up here googling the same thing: Check if your user has the role of realm-admin in the client realm-management assigned. Everything else is handled internally by Keycloak.