Client that can manage users in Keycloak 23+

This is a cross-post from ServerFault, after one week of active bounty that no one tried to win… if you are interested in the bounty, you can answer there before it expires (a few hours from now): Client that can manage users in Keycloak 23+ - Server Fault

I need to authorize my application (named “Logic” from now on) to manage users of a Keycloak realm. “Logic” already authenticates itself against that realm with a client credentials grant access type, so the code is already working.

Now, in the Keycloak administration console, I need to add the correct role to my client so that “Logic” is authorized to call whatever API endpoint Keycloak provides to manage the realm users.

In the realm clients list there is a client named realm-management, which Keycloak provides by default for each realm. This client can manage the whole realm, not just its users, and it has a list of client roles for that reason. manage-users is one of the roles in that list and it is the role I need to assign to my other client (that I named logic in Keycloak). In other words, my “Logic” application uses the keycloak client-id logic to authenticate itself and I need to add the manage-users role to the logic client.

The problem is that in my client (logic) roles settings, those same roles, listed under realm-management client, are not listed at all, and the list only has uma_protection role.

If I searched for “manage-users” by typing it in the search box, it wouldn’t show up. Meanwhile, if I click that role in the roles list of the realm-management client, it shows that no users have that role and it lets me add the role to users, but not to clients, even if that role is actually listed in a client (realm-management).

Creating a new role in my logic client, by the same name of manage-users, is possible, but I’m not sure that’s the way to go. I mean, why should I duplicate an existing role? It smells of wrong.

Can you please tell me the correct way to add the manage-users role to a client in Keycloak 23?

If your client already uses the client credentials flow, it has “service accounts” enabled.
You have to assign the realm-management.manage-users role to the service account in the resp. tab of your client. This way the corresponding service account user, which is responsible in Keycloak for getting the client credentials flow to work, will get the proper role and should be able to manage your users.

1 Like

Thank you very much, it was so easy that I couldn’t find it myself…

1 Like

Hello I’m facing the same issue working with the REST API only, do you know if there is an other way to assign manage-users role to the client?
When using the keycloak IHM it creates a service account user for the client that is not accessible in users list.