I want to let my client application access user information from keycloak. Therefore, I created another realm (myrealm1) in keycloak and within that realm I created a new client (myclient1).

Actually, I tried a lot of other combinations without success.
In the client scopes tab, I added the admin client scope In the service account roles tab, I added the admin role
For the admin client scope, I assigned the admin role in the scope tab.
For the admin realm role, I assigned the admin role in the associated role tab.
These are the REST API calls I am using
curl --location --request POST 'http://localhost:8080/realms/myrealm/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=myclient1' \
--data-urlencode 'client_secret=PehR9f95woZmEEHcKfSgPaosu1Yt6P9s' \
--data-urlencode 'grant_type=client_credentials'
Returns
{
    "access_token": "eyJhbGciOiJS...",
    "expires_in": 300,
    "refresh_expires_in": 0,
    "token_type": "Bearer",
    "not-before-policy": 0,
    "scope": "email profile admin"
}
So far so good, I do get a token.
curl --location --request GET 'http://localhost:8080/admin/realms/myrealm/users' \
--header 'Accept: application/json' \
--header 'Authorization: Bearer eyJhbGciOiJS...'
Returns HTTP 403
{
    "error": "unknown_error"
}
This is not as expected. The expected result would be the user information.
Btw, I do get it working for the admin user of the master realm
curl --location --request POST 'http://localhost:8080/realms/master/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=admin-cli' \
--data-urlencode 'username=admin' \
--data-urlencode 'password=password' \
--data-urlencode 'grant_type=password'
But this is not what I want. I would like to get it working for my custom client.
I am using keycloak 19.0.3
What is missing to get it working? I. e. How do I enable my client to make use of the keycloak REST APIs such as /admin/realms/myrealm/users
You need to go to:


If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With