Client credentials grant: Rest API using client_id admin-cli

Hi,

I am trying to call the REST api with the client_id admin-cli.

Password Grant

When the client is set to ‘public’, I can get a token and get all users from a specific realm;

export TOKEN=$(curl --location --request POST ‘server:port/auth/realms/master/protocol/openid-connect/token’
–header ‘Content-Type: application/x-www-form-urlencoded’
–data-urlencode ‘username=admin’
–data-urlencode ‘password=XXXXX’
–data-urlencode ‘grant_type=password’
–data-urlencode ‘client_id=admin-cli’ | jq -r .access_token)

curl -H “Content-Type: application/json” -H “Authorization: bearer $TOKEN” -X GET “server:port/auth/admin/realms/MYREALM/users”

-> works fine. I get the list of users.

Client Credentials Grant

When the client is set to ‘confidential’ + Service Accounts Enabled: true

export TOKEN=$(curl --location --request POST server:port/auth/realms/master/protocol/openid-connect/token’
–header ‘Content-Type: application/x-www-form-urlencoded’
–data-urlencode ‘grant_type=client_credentials’
–data-urlencode ‘client_id=admin-cli’
–data-urlencode ‘client_secret=ffffff1-ffff44aa-ffff-6c2cfb710010’ | jq -r .access_token)

-> I get a token, but when i try

curl -H “Content-Type: application/json” -H “Authorization: bearer $TOKEN” -X GET “server:port/auth/admin/realms/MYREALM/users”

I get 403: {“error”:“unknown_error”}

I must be missing something, any tips?

I’m in a similar situation I created a new account service with admin role but I always get 403 when trying access resources like GET /admin/realms…

Were you able to find a solution to your problem?

Same issue here. Any explanation?