This is a cross-post from ServerFault, after one week of active bounty that no one tried to win… if you are interested in the bounty, you can answer there before it expires (a few hours from now): Client that can manage users in Keycloak 23+ - Server Fault
I need to authorize my application (named “Logic” from now on) to manage users of a Keycloak realm. “Logic” already authenticates itself against that realm with a client credentials grant access type, so the code is already working.
Now, in the Keycloak administration console, I need to add the correct role to my client so that “Logic” is authorized to call whatever API endpoint Keycloak provides to manage the realm users.
In the realm clients list there is a client named
realm-management, which Keycloak provides by default for each realm. This client can manage the whole realm, not just its users, and it has a list of client roles for that reason.
manage-users is one of the roles in that list and it is the role I need to assign to my other client (that I named
logic in Keycloak). In other words, my “Logic” application uses the keycloak client-id
logic to authenticate itself and I need to add the
manage-users role to the
The problem is that in my client (
logic) roles settings, those same roles, listed under
realm-management client, are not listed at all, and the list only has
If I searched for “manage-users” by typing it in the search box, it wouldn’t show up. Meanwhile, if I click that role in the roles list of the
realm-management client, it shows that no users have that role and it lets me add the role to users, but not to clients, even if that role is actually listed in a client (
Creating a new role in my
logic client, by the same name of
manage-users, is possible, but I’m not sure that’s the way to go. I mean, why should I duplicate an existing role? It smells of wrong.
Can you please tell me the correct way to add the
manage-users role to a client in Keycloak 23?