keycloakcamundakeycloak-rest-api

Keycloak: Client in non-master realm gets 403 Forbidden when using User Search API


I have a non-master realm in my Keycloak instance which is called camunda-platform (it is deployed with the official Docker Compose configuration file of Camunda 8 Self-Managed). I want to use the Keycloak API to search for the users in camunda-platform realm. When I use the access token that I have got with my client in the master realm, I can list the users. But when I use the access token that I have received from a client that is created in the camunda-platform (non-master) realm, it doesn't work and I get a 403 Forbidden. Here's the cURL request:

curl --location '<keycloak_base_url>/auth/admin/realms/camunda-platform/users' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Bearer <my_token>' \
--data ''

I am sure the endpoint is correct. I am also sure that the token is not expired. Here's the capability config which is presumably correct:

client capability config

Service accounts roles and Client authentication are both enabled and I have literally assigned every single possible role (including realm-admin, manage-users and view-users) to my client. But still, I cannot search for the users. The weird thing is, I can use other API calls such as fetching variables, form schemas and process definitions with the same token. Do you have any ideas?


Solution

  • I found the problem. I had to assign the necessary roles to the user as well as the client. I thought it was enough to assign the roles to the client and get the token but I also had to make sure the user has the necessary permissions. I close this as solved.