Realm-management cannot do any action via postman!

1

Hello,

I am trying to do rest api call to get users via client realm-management.
I am using official dockerhub keycloak image, tried with 6.0.1 9.0.0 and latest.
The problem i’m falling in is 403 response code.

for example on listing users with url:

http://xxxxxxxx/:8580/auth/admin/realms/x-x/users

I get the token with client-id and secret this works but later i cannot do any request on the api.

Service Accounts Enabled
Valid Redirect URIs *
Web origins *

Roles list:

  • view-clients
  • manage-events
  • manage-users
  • query-users
  • create-client
  • view-users
  • impersonation
  • view-realm
  • manage-realm
  • manage-clients
  • query-realms
  • view-events
  • query-clients
  • view-authorization
  • uma_protection
  • view-identity-providers
  • manage-identity-providers
  • realm-admin
  • query-groups
  • manage-authorization

Logs while getting token:

13:05:27,336 DEBUG [org.keycloak.services.scheduled.ScheduledTaskRunner] (Timer-2) Executed scheduled task AbstractLastSessionRefreshStoreFactory$$Lambda$1065/458097982
13:05:29,879 DEBUG [io.undertow.request] (default I/O-7) Matched prefix path /auth for path /auth/realms/x-demo/protocol/openid-connect/token
13:05:29,880 DEBUG [io.undertow.request.security] (default task-2) Attempting to authenticate /auth/realms/x-demo/protocol/openid-connect/token, authentication required: false
13:05:29,880 DEBUG [io.undertow.request.security] (default task-2) Authentication outcome was NOT_ATTEMPTED with method io.undertow.security.impl.CachedAuthenticatedSessionMechanism@425a4115 for /auth/realms/x-demo/protocol/openid-connect/token
13:05:29,880 DEBUG [io.undertow.request.security] (default task-2) Authentication result was ATTEMPTED for /auth/realms/x-demo/protocol/openid-connect/token
13:05:29,880 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-2) new JtaTransactionWrapper
13:05:29,880 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-2) was existing? false
13:05:29,880 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-2) RESTEASY002315: PathInfo: /realms/x-demo/protocol/openid-connect/token
13:05:29,882 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-2) AUTHENTICATE CLIENT
13:05:29,882 DEBUG [org.keycloak.authentication.ClientAuthenticationFlow] (default task-2) client authenticator: client-secret
13:05:29,882 DEBUG [org.keycloak.authentication.ClientAuthenticationFlow] (default task-2) client authenticator SUCCESS: client-secret
13:05:29,882 DEBUG [org.keycloak.authentication.ClientAuthenticationFlow] (default task-2) Client realm-management authenticated by client-secret
13:05:29,882 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (default task-2) Removing authSession '43581cec-5eaf-48f1-86d2-590d8f212f3c'. Expire restart cookie: true
13:05:29,883 DEBUG [org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl] (default task-2) Hibernate RegisteredSynchronization successfully registered with JTA platform
13:05:29,883 DEBUG [org.hibernate.SQL] (default task-2) 
    select
        clientscop0_.ID as ID1_13_0_,
        clientscop0_.DESCRIPTION as DESCRIPT2_13_0_,
        clientscop0_.NAME as NAME3_13_0_,
        clientscop0_.PROTOCOL as PROTOCOL4_13_0_,
       clientscop0_.REALM_ID as REALM_ID5_13_0_ 
    from
        public.CLIENT_SCOPE clientscop0_
e
       clientscop0_.ID=?
13:05:29,883 DEBUG [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (default task-2) KeycloakDS: getConnection(null, WrappedConnectionRequestInfo@1ee9a6a3[userName=keycloak]) [0/20]
13:05:29,883 FINE  [org.postgresql.jdbc.PgConnection] (default task-2)   setAutoCommit = false
13:05:29,884 DEBUG [org.hibernate.resource.jdbc.internal.ResourceRegistryStandardImpl] (default task-2) HHH000387: ResultSet's statement was not registered
13:05:29,885 DEBUG [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] (default task-2) Initiating JDBC connection release from afterStatement
13:05:29,885 DEBUG [org.hibernate.loader.entity.plan.AbstractLoadPlanBasedEntityLoader] (default task-2) Done entity load : org.keycloak.models.jpa.entities.ClientScopeEntity#82261b6e-fb18-4294-b2b5-49964c491150
13:05:29,887 DEBUG [org.keycloak.events] (default task-2) type=CLIENT_LOGIN, realmId=x-demo, clientId=realm-management, userId=72b484e4-ddc8-4bf9-a5d9-e5989a10b149, ipAddress=x.x.x.x, token_id=6fbcde52-3e83-4556-a3ec-c63f289592b9, grant_type=client_credentials, refresh_token_type=Refresh, scope='email profile', refresh_token_id=c82d13e5-dba6-4e4c-92ed-33ccf0489232, client_auth_method=client-secret, username=service-account-realm-management
13:05:29,887 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-2) JtaTransactionWrapper  commit

LOGS WHILE USING TOKEN TO CALL REST API:

13:06:52,335 DEBUG [org.keycloak.services.scheduled.ScheduledTaskRunner] (Timer-2) Executed scheduled task AbstractLastSessionRefreshStoreFactory$$Lambda$1065/458097982
13:06:55,795 DEBUG [io.undertow.request] (default I/O-11) Matched prefix path /auth for path /auth/admin/realms/x-demo/users
13:06:55,796 DEBUG [io.undertow.request.security] (default task-2) Attempting to authenticate /auth/admin/realms/x-demo/users, authentication required: false
13:06:55,796 DEBUG [io.undertow.request.security] (default task-2) Authentication outcome was NOT_ATTEMPTED with method io.undertow.security.impl.CachedAuthenticatedSessionMechanism@425a4115 for /auth/admin/realms/x-demo/users
13:06:55,796 DEBUG [io.undertow.request.security] (default task-2) Authentication result was ATTEMPTED for /auth/admin/realms/x-demo/users
13:06:55,796 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-2) new JtaTransactionWrapper
13:06:55,796 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-2) was existing? false
13:06:55,796 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-2) RESTEASY002315: PathInfo: /admin/realms/x-demo/users
13:06:55,798 DEBUG [org.keycloak.services.resources.admin.AdminRoot] (default task-2) authenticated admin access for: service-account-realm-management
13:06:55,799 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-2) JtaTransactionWrapper rollback
13:06:55,799 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-2) JtaTransactionWrapper end
13:06:57,335 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) new JtaTransactionWrapper
13:06:57,335 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) was existing? false
13:06:57,335 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) JtaTransactionWrapper  commit
13:06:57,335 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) JtaTransactionWrapper end

What more can i provide in order to give more informations about it so you are able to replicate the problem ?

2

See: Getting started with Keycloak

3

Can you send us more info about your request? Your cURL call for example, make sure you are sending it as x-www-form-urlencoded.

4

This is my curl request:

curl --location --request GET 'http://xxx:8580/auth/admin/realms/x-demo/users' \

--header 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJwM0hmUGxVSzFVVTJ3Ny01SkxuWjdJZk5YZ3B4NC1GdWJuVlFqMVZmWGM0In0.eyJqdGkiOiI2MTVmNzk0Ni1mNWMwLTQ0ZDQtODY4OS0xNmJjZmVjNTA4YjIiLCJleHAiOjE1OTkxMTY4NTcsIm5iZiI6MCwiaWF0IjoxNTk5MTE2NTU3LCJpc3MiOiJodHRwOi8vaXNzbmJnNnZtMzUuZGMuaXNvLWhvc3RpbmcubmV0Ojg1ODAvYXV0aC9yZWFsbXMvcm9tLWRlbW8iLCJzdWIiOiI3MmI0ODRlNC1kZGM4LTRiZjktYTVkOS1lNTk4OWExMGIxNDkiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJyZWFsbS1tYW5hZ2VtZW50IiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiZTBhNzg2ZTgtMDQxZS00ZjJiLTlhMGUtYjIzZmZiNmNlMGI1IiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6WyIqIl0sInNjb3BlIjoiZW1haWwgcHJvZmlsZSIsImNsaWVudEhvc3QiOiIxMC4yMi4zNi4xMCIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwiY2xpZW50SWQiOiJyZWFsbS1tYW5hZ2VtZW50IiwicHJlZmVycmVkX3VzZXJuYW1lIjoic2VydmljZS1hY2NvdW50LXJlYWxtLW1hbmFnZW1lbnQiLCJjbGllbnRBZGRyZXNzIjoiMTAuMjIuMzYuMTAiLCJlbWFpbCI6InNlcnZpY2UtYWNjb3VudC1yZWFsbS1tYW5hZ2VtZW50QHBsYWNlaG9sZGVyLm9yZyJ9.c0BrntWm4s6E9cgkcuQydRrwVQSLhY8YLAcXd60V0JAzDYzPpXjWlX2Lltc38ED993ymp-hqcL09f-TLUK703ynjxvIOMBI6Qqes1S0-GZWGSJMoiKuT3-IjHTgSUdzw9yqEgi3tcxXqirr7uSmgmguG_EpLO-c8p1AVpxl1UN1vB21BxZGeTSQhxVYmYR2VxcDinceJHyf6yKISTkRoeUdbI0FN6wpHCq96no5CS50e1X9vkLw3Z4nknuWpQ_BNeJqqLXN_xPQ5a_LgUXtr-sTa5CjmDcRShsKMlvGJPYOXf1aPynW8b2Yrm_E8yYHQwj8i9mziqCIBthXIbQjkEw'
5

Could you please help me with getting token from realm-management?
I have created real admin and want to manage users via API.
If I’m not wrong I have to get access_token with admin-cli client and then use this token in order to get access_token from bearer-only client realm-management.

I was able to get access token from admin-cli but I don’t know how to use realm-management client and can’t google anything.

I think I’m missing something.