Keycloak Admin REST API returns blank to some realm's API request

I have generated a token to invoke the keycloak Admin Rest API that returns a list of users of a given realm.

To get the token from the master realm, I executed the following URL. The user “prod-api-user” has the necessary roles to access all the available realms in the keycloak.

curl --location --request POST ‘https://sso.test.com/auth/realms/master/protocol/openid-connect/token
–header ‘Content-Type: application/x-www-form-urlencoded’
–data-urlencode ‘username=prod-api-user’
–data-urlencode ‘password=xxxxxx’
–data-urlencode ‘grant_type=password’
–data-urlencode ‘client_id=prod-client’

The above curl will return the token and I can copy/paste it in below Authorization payload.
curl --location --request GET ‘https://sso.test.com/auth/admin/realms/osm/users
–header ‘Authorization: Bearer xxxxxx’

It returns the list of the users who belongs to the realm “osm”.
The username prod-api-user has view-realm and view-users roles for osm realm and other available realms too.

But, When I try with the next available realm i.e test let’s say, I get a blank response with a 200 response code. There are plenty of users in the realm test.

However, the Test realm has the same level roles as osm has. I observe no error logs or any logs that are interesting to this request. (I have tried other realm too, they behave the same, their realm settings are similar to the osm realm)

I am using keycloak 10.0.2

Any help will be greatly appreciated.

Sounds like the client roles are not the same. Go into the Admin UI “Users”->“prod-api-user”->"Role Mapping section, and look at each of the “Effective Roles” for the osm-realm and test-realm (or whatever the real realm names are).

Thanks for your answer.

I did check the effective roles of each realm and they are the same. I made sure the effective roles are always set.