Follow

Keep Up to Date with the Most Important News

By pressing the Subscribe button, you confirm that you have read and are agreeing to our Privacy Policy and Terms of Use
Follow
Facebook Twitter Instagram Youtube
Contact

Allow client to retrieve users from keycloak

byMR
December 10, 2022

I want to let my client application access user information from keycloak. Therefore, I created another realm (myrealm1) in keycloak and within that realm I created a new client (myclient1).

keycloak configuration:

Client configuration

Client myclient1 configuration

Actually, I tried a lot of other combinations without success.

MEDevel.com: Open-source for Healthcare and Education

Collecting and validating open-source software for healthcare, education, enterprise, development, medical imaging, medical records, and digital pathology.

Visit Medevel

In the client scopes tab, I added the admin client scope
In the service account roles tab, I added the admin role

Client scope configuration

For the admin client scope, I assigned the admin role in the scope tab.

Realm role configuration

For the admin realm role, I assigned the admin role in the associated role tab.

REST API Calls

These are the REST API calls I am using

curl --location --request POST 'http://localhost:8080/realms/myrealm/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=myclient1' \
--data-urlencode 'client_secret=PehR9f95woZmEEHcKfSgPaosu1Yt6P9s' \
--data-urlencode 'grant_type=client_credentials'

Returns

{
    "access_token": "eyJhbGciOiJS...",
    "expires_in": 300,
    "refresh_expires_in": 0,
    "token_type": "Bearer",
    "not-before-policy": 0,
    "scope": "email profile admin"
}

So far so good, I do get a token.

curl --location --request GET 'http://localhost:8080/admin/realms/myrealm/users' \
--header 'Accept: application/json' \
--header 'Authorization: Bearer eyJhbGciOiJS...'

Returns
HTTP 403

{
    "error": "unknown_error"
}

This is not as expected. The expected result would be the user information.

Btw, I do get it working for the admin user of the master realm

curl --location --request POST 'http://localhost:8080/realms/master/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=admin-cli' \
--data-urlencode 'username=admin' \
--data-urlencode 'password=password' \
--data-urlencode 'grant_type=password'

But this is not what I want. I would like to get it working for my custom client.

Setup

I am using keycloak 19.0.3

My question

What is missing to get it working? I. e. How do I enable my client to make use of the keycloak REST APIs such as /admin/realms/myrealm/users

>Solution :

You need to go to:

  • your realm;
  • your Client;
  • then go to service account;

enter image description here

  • Click on Assign Role;
  • Select Filter by clients;
  • and search for ‘realm-management’

enter image description here

  • Select and assign the desired roles.
byMR
Published
Add a comment

Leave a Reply

Keep Up to Date with the Most Important News

By pressing the Subscribe button, you confirm that you have read and are agreeing to our Privacy Policy and Terms of Use

Read more

Discover more from Dev solutions

Subscribe now to keep reading and get access to the full archive.

Continue reading