Cannot access "Account Management" portal "resource_access" roles missing from token


Over a year ago I inherited a Keycloak deployment. When it was passed over to me, it was in version 8.0.0 and since then I have been upgrading it every now and then. Now I am running v18.0.2.
The external database (postgresql) has been always the same one.

The problem I am experiencing is that users do not have access to the Account Management portal. They always get a permission error. No errors in the Keycloak logs.

After some investigation, comparing my deployment with a new installation from scratch, I realized that all users are missing the client roles in their access token (resource_access.${client_id}.roles) for the “account” client.

Although the default client role “roles” that includes the mapper “client roles” is added to the “account” client. Actually, this happens for all of my clients, no matter if they are new or one of the existing ones, they do not include the “resource_access” key in the token.

There must be something missconfigured in my instance, but I am not sure what else to do.
Any idea how can I fix this issue? What am I missing?

Thank you very much,

So, after many many hours I finally figured out what was going on. To solve it, I ended up firing up a brand new Keycloak instance and then compared the default configuration of clients, roles, scopes with my instance.

This is what my deployment was missing:

  • ‘account’ client was changed to confidential
  • ‘account-console’ client was missing the scope ‘manage-account’ (defined by the ‘account’ client)
  • Realm role ‘default-roles-<realm_name>’ was missing ‘view-profile’ and ‘manage-account’ (defined by the ‘account’ client)

Hope it can help someone in the future.

Hi. I’m facing exact same problem. Can you share your configuration json on how you’ve added those missing scopes and what scopes specifically?
I could not override account-console client from the json configuration file. Also in order to access Account Console UI, I had to add acr, roles, profile scopes to the account-console client from the Admin Console UI but still no luck with configuring them by the json file. Can you provide related information from your configuration, please?
Thank you in advance

Hi, @Aghalaryan

Can you share your configuration json on how you’ve added those missing scopes and what scopes specifically?

** ‘account-console’ client was missing the scope ‘manage-account’ (defined by the ‘account’ client).*

I used the Admin Console UI for it. Since the steps might not be super obvious, I just recorded a short video showcasing how to do it. Hope that helps.


Thank you very much for your time!
My client already had it applied, I was missing default and optional scopes which are applied in your system I can see. But still can not find what changes are need to be done to realm.json file in order to have them automatically after clean installation.

Thanks again!

Hmm all of this scopes and roles should come configured out of the box in every new Keycloak installation. In my case I was missing them because a former member of the team changed the default config when testing/trying something else.

If that interested you…
If you have “clientScopes” in realm import json file, default scopes are not applied to confidential account and account-console clients. I have custom scopes which need to be defined in realm.json file and as a result I lost default scopes which are necessary to access Account Console.

I see. One thing you can do is install a new keycloak (ie local, running on containers) and then compare the default config with your config until you find exactly what you are missing.