Hello,
I am trying to do rest api call to get users via client realm-management.
I am using official dockerhub keycloak image, tried with 6.0.1 9.0.0 and latest.
The problem i’m falling in is 403 response code.
for example on listing users with url:
http://xxxxxxxx/:8580/auth/admin/realms/x-x/users
I get the token with client-id and secret this works but later i cannot do any request on the api.
Service Accounts Enabled
Valid Redirect URIs *
Web origins *
Roles list:
- view-clients
- manage-events
- manage-users
- query-users
- create-client
- view-users
- impersonation
- view-realm
- manage-realm
- manage-clients
- query-realms
- view-events
- query-clients
- view-authorization
- uma_protection
- view-identity-providers
- manage-identity-providers
- realm-admin
- query-groups
- manage-authorization
Logs while getting token:
13:05:27,336 DEBUG [org.keycloak.services.scheduled.ScheduledTaskRunner] (Timer-2) Executed scheduled task AbstractLastSessionRefreshStoreFactory$$Lambda$1065/458097982
13:05:29,879 DEBUG [io.undertow.request] (default I/O-7) Matched prefix path /auth for path /auth/realms/x-demo/protocol/openid-connect/token
13:05:29,880 DEBUG [io.undertow.request.security] (default task-2) Attempting to authenticate /auth/realms/x-demo/protocol/openid-connect/token, authentication required: false
13:05:29,880 DEBUG [io.undertow.request.security] (default task-2) Authentication outcome was NOT_ATTEMPTED with method io.undertow.security.impl.CachedAuthenticatedSessionMechanism@425a4115 for /auth/realms/x-demo/protocol/openid-connect/token
13:05:29,880 DEBUG [io.undertow.request.security] (default task-2) Authentication result was ATTEMPTED for /auth/realms/x-demo/protocol/openid-connect/token
13:05:29,880 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-2) new JtaTransactionWrapper
13:05:29,880 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-2) was existing? false
13:05:29,880 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-2) RESTEASY002315: PathInfo: /realms/x-demo/protocol/openid-connect/token
13:05:29,882 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-2) AUTHENTICATE CLIENT
13:05:29,882 DEBUG [org.keycloak.authentication.ClientAuthenticationFlow] (default task-2) client authenticator: client-secret
13:05:29,882 DEBUG [org.keycloak.authentication.ClientAuthenticationFlow] (default task-2) client authenticator SUCCESS: client-secret
13:05:29,882 DEBUG [org.keycloak.authentication.ClientAuthenticationFlow] (default task-2) Client realm-management authenticated by client-secret
13:05:29,882 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (default task-2) Removing authSession '43581cec-5eaf-48f1-86d2-590d8f212f3c'. Expire restart cookie: true
13:05:29,883 DEBUG [org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl] (default task-2) Hibernate RegisteredSynchronization successfully registered with JTA platform
13:05:29,883 DEBUG [org.hibernate.SQL] (default task-2)
select
clientscop0_.ID as ID1_13_0_,
clientscop0_.DESCRIPTION as DESCRIPT2_13_0_,
clientscop0_.NAME as NAME3_13_0_,
clientscop0_.PROTOCOL as PROTOCOL4_13_0_,
clientscop0_.REALM_ID as REALM_ID5_13_0_
from
public.CLIENT_SCOPE clientscop0_
e
clientscop0_.ID=?
13:05:29,883 DEBUG [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (default task-2) KeycloakDS: getConnection(null, WrappedConnectionRequestInfo@1ee9a6a3[userName=keycloak]) [0/20]
13:05:29,883 FINE [org.postgresql.jdbc.PgConnection] (default task-2) setAutoCommit = false
13:05:29,884 DEBUG [org.hibernate.resource.jdbc.internal.ResourceRegistryStandardImpl] (default task-2) HHH000387: ResultSet's statement was not registered
13:05:29,885 DEBUG [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] (default task-2) Initiating JDBC connection release from afterStatement
13:05:29,885 DEBUG [org.hibernate.loader.entity.plan.AbstractLoadPlanBasedEntityLoader] (default task-2) Done entity load : org.keycloak.models.jpa.entities.ClientScopeEntity#82261b6e-fb18-4294-b2b5-49964c491150
13:05:29,887 DEBUG [org.keycloak.events] (default task-2) type=CLIENT_LOGIN, realmId=x-demo, clientId=realm-management, userId=72b484e4-ddc8-4bf9-a5d9-e5989a10b149, ipAddress=x.x.x.x, token_id=6fbcde52-3e83-4556-a3ec-c63f289592b9, grant_type=client_credentials, refresh_token_type=Refresh, scope='email profile', refresh_token_id=c82d13e5-dba6-4e4c-92ed-33ccf0489232, client_auth_method=client-secret, username=service-account-realm-management
13:05:29,887 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-2) JtaTransactionWrapper commit
LOGS WHILE USING TOKEN TO CALL REST API:
13:06:52,335 DEBUG [org.keycloak.services.scheduled.ScheduledTaskRunner] (Timer-2) Executed scheduled task AbstractLastSessionRefreshStoreFactory$$Lambda$1065/458097982
13:06:55,795 DEBUG [io.undertow.request] (default I/O-11) Matched prefix path /auth for path /auth/admin/realms/x-demo/users
13:06:55,796 DEBUG [io.undertow.request.security] (default task-2) Attempting to authenticate /auth/admin/realms/x-demo/users, authentication required: false
13:06:55,796 DEBUG [io.undertow.request.security] (default task-2) Authentication outcome was NOT_ATTEMPTED with method io.undertow.security.impl.CachedAuthenticatedSessionMechanism@425a4115 for /auth/admin/realms/x-demo/users
13:06:55,796 DEBUG [io.undertow.request.security] (default task-2) Authentication result was ATTEMPTED for /auth/admin/realms/x-demo/users
13:06:55,796 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-2) new JtaTransactionWrapper
13:06:55,796 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-2) was existing? false
13:06:55,796 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-2) RESTEASY002315: PathInfo: /admin/realms/x-demo/users
13:06:55,798 DEBUG [org.keycloak.services.resources.admin.AdminRoot] (default task-2) authenticated admin access for: service-account-realm-management
13:06:55,799 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-2) JtaTransactionWrapper rollback
13:06:55,799 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-2) JtaTransactionWrapper end
13:06:57,335 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) new JtaTransactionWrapper
13:06:57,335 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) was existing? false
13:06:57,335 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) JtaTransactionWrapper commit
13:06:57,335 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) JtaTransactionWrapper end
What more can i provide in order to give more informations about it so you are able to replicate the problem ?