Hello,
I want to use Keycloak api to update users password so I found this
PUT /admin/realms/{realm}/users/{id}/execute-actions-email in keycloak doc
and I get 403 forbidden when I try it in postman
and if I decode the token this is what I found as access
“realm_access”: {
“roles”: [
“offline_access”,
“uma_authorization”,
“default-roles-entasc”
]
},
“resource_access”: {
“account”: {
“roles”: [
“manage-account”,
“manage-account-links”,
“view-profile”
]
}
},
“scope”: “openid OpenID-connect email profile”,
I was wondering about the same thing and could not find the needed information in the documentation, but through experimentation, I discovered that you need the manage-users role from the realm-management client to be able to invoke this endpoint.
However, I discovered that using this role also enables the client to invoke some other more critical endpoints, such as the /reset-password endpoint, which seems to me as a potential security risk. I would expect that there is a separate role just for the /execute-actions-email endpoint, such that you don’t need to grant access to /reset-password endpoint along the way. Perhaps someone could shed some light on the matter?
The /execute-actions-email endpoint is part of the ADMIN REST API, it’s not meant to be used from regular users. Yes, the consuming users or clients need proper realm management roles, so, this operation should only be executed by trustworthy entities!
