403 Forbidden - Accessing Keycloak APIs

Hey, everyone. I’ve been trying to access “auth/admin/realms//users” API to retrieve a list of users but I don’t seem to be able to access the API at all. I’ve already gave my user account “view-users” permission and when I inspect the Bearer Token it shows me in “roles” that I actually have that permission. Does anybody have any ideas what other reasons could cause this issue? I’ve been stuck on this problem for days now.

Edit: I’m doing this in a C# Application if this makes things any different.

Thank you so much,
Joao Soares.

If you are trying to use the /auth/admin/realms/<realm-name>/users endpoint to GET a list of users, you will need the query-users and view-users realm management roles.

Hey, mate. Thanks for the reply. I’ve also set query-users to my account and still same error 403. I thought query-users would be default no? When I see the role mapping, this account has query-users in Effective Roles and I can’t remove it.

I’ve figured it out. I was retrieving the Bearer Token from when the user was authenticated not the actual access token from realms/master/protocol/openid-connect/token. I was retrieving token from a provider in C# which was not valid to access Keycloak APIs.

1 Like