403 Forbidden error when using Rest API

1

Hey Everyone,

I am hoping someone could help with an issue I am facing. I am try to use API to create a new Authentication flows to our realms. I want to the API to do this but I keep getting 403 Forbidden error when trying to POST. I am using Postman to do this. It works fine when I create a new flow in our dev environment because I am using the API: http://127.0.0.1:8180/auth/admin/realms/heroes/authentication/flows (example) and I am using Basic Auth with our Admin account to generate the token. When I put in the API for our case, I am able to add a new Flow to the Realm. Works great!
However, when I go into Prod and use the API: https://{Keycloak url]/auth/admin/REALM/authentication/flows while using Basic auth and the admin account, I get the 403 forbidden error. Mind you when I POST to get the Access Token (in Prod), I am able to generate a token but as soon as I try to POST to create a new flow, I get the forbidden error.

Does it have anything to do with http vs https? I confirmed by admin role has “realm-admin”. I know that the call is correct but is something being blocked on the server side, possibly? Or is their a setting I am missing somewhere?

Any help would be greatly appreciated.

2

Do the logs provide any clues beyond the ‘forbidden’?

3

Not really. The logs dont say much on this. I also new to Keycloak so to me I just see:
2021-05-27 16:31:24,196 WARN [org.keycloak.events] (default task-17954) type=REFRESH_TOKEN_ERROR, realmId=, clientId=****, userId=null, ipAddress=, error=invalid_token, grant_type=refresh_token, client_auth_method=client-secret

But I am not sure how the Refresh Token will fall into any of this. Also Invalid token has to be wrong because I am able to use the token for GET requests.

4

Any success on figuring this out?

5

access_tokens are short lived tokens and usually the oauth client libraries handles token renovation behinds the scenes. If you ask “offline_access” as scope when negotiate an access_token, you should receive both access and renovation tokens.

If the error occurs on postman, it tries to renovate token when it expires automatically.

If possible, try to enable a more verbose log mode on production and perform more tests. Set the log level to DEBUG.