Keycloak 26, Admin REST API problems

Configuring the server
1

I have been using Keycloak as IDP for some time now. I have secured apps and my own rest APIs so I am a pretty used to configure Keyckoak. What I want to do now is to start using the REST API to manage users and roles.
I also wanted to upgrade to latest version, so I started fresh with 26.0.7 in a docker instance:
docker run -p 8081:8080 -e KC_BOOTSTRAP_ADMIN_USERNAME=admin -e KC_BOOTSTRAP_ADMIN_PASSWORD=admin quay.io/keycloak/keycloak:26.0.7 start-dev

I then did the following:

In the master realm:

  • Create a new client “rest-api-client”

  • Uncheck “Standard Flow” and “Direct access grant”

  • Check “Service account roles”

  • In tab “Service Account Roles”, add the roles query-users, view-users, manage-users (In the documentation, it says I should add the role “admin” here, but it is not available!)

  • In postman, login using client credentials:
    POST /realms/master/protocol/openid-connect/token
    with parameters:
    client_id: “rest-api-client”
    grant_type: “client_credentials”
    client_secret:

Make the REST call to get users (providing the access_token)
GET /admin/realms/master/users

Here, I get 401.

I have tried a lot of different tweaks, e.g. following the instructions here Server Developer Guide
I think I managed to add an audience mapper (not super intuitive…), but i cannot add the role “admin” under service account roles, because it does not exist in the list of available roles.

So, if anyone has managed to use the rest AP in version 26, using a custom client and service account concept, please let me know.

UPDATE:
The access_token I get looks like below.

{
  "exp": 1733757274,
  "iat": 1733757214,
  "jti": "fc6aaae6-0980-4f9a-a1f3-21297160e4f6",
  "iss": "http://localhost:8081/realms/master",
  "aud": [
    "security-admin-console",
    "master-realm",
    "account"
  ],
  "sub": "e141f6ee-d09a-4a59-aefc-2dc1e87784f6",
  "typ": "Bearer",
  "azp": "rest-api-client",
  "acr": "1",
  "allowed-origins": [
    "/*"
  ],
  "realm_access": {
    "roles": [
      "default-roles-master",
      "offline_access",
      "uma_authorization"
    ]
  },
  "resource_access": {
    "rest-api-client": {
      "roles": [
        "uma_protection"
      ]
    },
    "master-realm": {
      "roles": [
        "view-realm",
        "manage-users",
        "view-users",
        "query-groups",
        "query-users"
      ]
    },
    "account": {
      "roles": [
        "manage-account",
        "manage-account-links",
        "view-profile"
      ]
    }
  },
  "scope": "email profile",
  "clientHost": "192.168.65.1",
  "email_verified": false,
  "preferred_username": "service-account-rest-api-client",
  "clientAddress": "192.168.65.1",
  "client_id": "rest-api-client"
}
1 Like
2

Well, now it works. Don’t know exactly what I changed…