REST API with client credential grant returns 404/403

I am trying to use the REST API with a client credentials grant. Using these instructions, I changed the Access Type of the admin-cli client to Confidential, enabled service accounts, and created a client secret. I then used a very simple API wrapper that I’ve used many times before:

I am able to make a GET request to auth/realms/master, but everything else comes back as a 404. I also tried the MohammadWaleed client, but it came back with unknown_error. The logicpanel client returns with a 403.

I saw a Stack Overflow post saying that I needed to grant rights to my user, but this is the admin user on the master realm. What am I missing?

You are trying to use Keycloak Admin REST API - so the endpoint to list client in the master realm is /auth/admin/realms/master/clients (please note that you are using admin API, so also admin is in the url). It looks like you are trying to reach /auth/realms/master/clients - which doesn’t exist, so error 404 - Not Found is correct.

If you use correct endpoint and you are getting 403 - Forbidden - that means that used client/user doesn’t have correct permissions. You need to grant correct permissions - example:

I’m still confused. I found the settings as shown by your response on Stack Overflow (under the Users section - not where I expected). However, there are no roles for the admin-cli client. How am I supposed to assign roles to my user for API access when no roles exist? Also, this is the admin user, so shouldn’t it already have access?

The different realm clients have roles available (such as 'query-usersandmanage-authorization`), but realm clients don’t have the settings to generate client credential secrets for API access. So, that’s a dead end.

You are using client credentials flow, where you are not using real user. You have to configure permissions on the client level. Also I wouldn’t use admin-cli client. The best practice is to have dedicated client with minimal permissions.

I hate to seem like a total n00b, but since none of this seems to be documented, could you walk me through the process a little more (or point me to the documentation if I missed it)? I’m sure your response will be helpful to other people who come across this thread in the future.

To be specific, here is what I am wanting to do. I would like to have API access to one of my non-master realms with the goal of being able to manage users. I am interested in your suggestion of using a dedicated client. From what I understand, I should do the following:

  1. Create a new client under the desired realm - let’s call it “api” just to be simple.
  2. The new client should have “Standard Flow Enabled” turned off, “Access Type” set to “confidential,” and “Service Accounts Enabled” turned on.
  3. Under the new “Credentials” tab, the “Secret” field will be used for API calls.

From there, I am at a loss. Do I need to do things under the “Client Scopes,” “Scopes,” or “Roles” tabs? How do I assign roles to the client in order to grant the correct permissions? What URIs do I use when making API calls with the “api” client?

Client roles:
delete

I’m not saying that you need “manage-clients” - just try&test all other roles or inspect source code - that usuall approach, when it is not documented explicitly.

1 Like

I think I got it working. I’m going to post a write-up in a little bit once I do a little more testing. Thanks, @jangaraj!

Okay - this is my understanding and what I used to get it to work:

  1. Create a new client under the master realm - let’s call it “api” just to be simple.
  2. The new client should have “Standard Flow Enabled” turned off, “Access Type” set to “confidential,” and “Service Accounts Enabled” turned on.
  3. Under the new “Credentials” tab, the “Secret” field will be used for API calls.
  4. Under the “Scope” tab:
    • Turn “Full Scope Allowed” off.
    • Under “Client Roles,” select the client name of the desired realm you want to access via the API.
    • Add the required roles from “Available Roles” to “Assigned Roles” in order to grant the permissions necessary for the API calls desired.
  5. Use the URI https://your-domain.com/auth/admin/realms/your-realm to access the API.

Unless I’m missing something else, that seems to be it! Hopefully, this helps someone else down the road.