Keycloak Get Users returns 403 forbidden

Question

I create token using http://localhost:8080/auth/realms/{realm_name}/protocol/openid-connect/token endpoint.

grant_type=client_credentials
client-id: ------------
client-secret: 78296d38-cc82-4010-a817-65c283484e51

Now I want to get users of realm. Then I send request to http://localhost:8080/auth/admin/realms/{realm_name}/users?username=demo endpoint with token. But I got 403 forbidden response with "error": "unknown_error". How to solve it?

Answer 1

As the response code (403) says forbidden, it means that server has understood the request but you don't have the permissions to request that API.

So to get the access to view the users/groups/roles which are available in the Keycloak you must have to map the roles to the user. You can follow the below path to map any roles.

CLick on Users --> select your user --> click on Role Mapping --> click on Assign Roles --> Filter by clients --> select the roles and save

enter image description here

Answer 2

• Login to your Keycloak admin console and navigate to the "Client Scopes" section.

• Click the "Create" button to create a new client scope “openid“ as
  default.

• then go to your realm client select client scopes tab.

• then add the openid scope.

Answer 3

to create(add) user

send POST request to:

http://localhost:8180/admin/realms/YOUR_REALM_NAME/users

with this body sample:

{
"firstName":"Amir",
"lastName":"Sharafkar", "email":"amirh.sharafkar@gmail.com", "enabled":"true", 
"username":"sharafkar", 
"credentials":[{
"type":"password",
"value":"1234",
"temporary":false
}]}

to get all users

send GET request to:

http://localhost:8180/admin/realms/YOUR_REALM_NAME/users

with "Authorization" key header with value: Bearer {YOUR_TOKEN}

to get individual user

send GET request to:

http://localhost:8180/admin/realms/YOUR_REALM_NAME/users/{id}

with "Authorization" key header with value: Bearer {YOUR_TOKEN}

DO NOT FORGET - Keycloak "version: 20.0.2"

assign role to your client with this steps:

1. Click Assign role button

2. Select Filter by clients

3. and finally add "manage-users" role to your client

Answer 4

You need to assign a target realm-management role for your custom user. E.g. Keycloak version 19.02 to assign any realm-management role such as manage-users, manage-clients or realm-admin, you must follow these steps:

1. create a new user
2. Navigate to user details and open the Role Mapping tab.
3. click the Assign role button
4. select Filter by clients
5. you will see the first 10 results, click ">" to see the next 10 results, etc., or use the search box
6. select one target role

Filter by client, realm-management roles

Answer 5

I ran into the same issue with the quarkus-Version 18.0.2:

• a client "tmp" identical configured like "admin-cli" (only different name)
• all roles of "realm-management" assigned to the generated service-user
• using a client-credential-Token of "tmp" for the user-Search-Endpoint (/auth/admin/realms/b2c/users/) leads to 403
• using a manually created user works well (password-credential-type)
• using the "admin-cli" client to get the client-credential-Token works well, too

I found this: "client_id is a confidential client that belongs to the realm master" here: https://github.com/keycloak/keycloak-documentation/blob/main/server_development/topics/admin-rest-api.adoc

I don't know why this restriction was introduced, but when you fetch your token from master (/auth/realms/master/protocol/openid-connect/token), then you are allowed to use a custom client and everything is fine.

Answer 6

The service account associated with your client needs to be allowed to view the realm users.

1. Go to http://localhost:8080/auth/admin/{realm_name}/console/#/realms/{realm_name}/clients

2. Select your client (which must be a confidential client)

3. In the settings tab, switch Service Account Enabled to ON

4. Click on save, the Service Account Roles tab will appear

5. In Client Roles, select realm_management

6. Scroll through available roles until you can select view_users

7. Click on Add selected

You should have something like this :

You client is now allowed to access users through the REST API.