What could cause the user's account page to be forbidden

My users can log in on the user’s account page with their username and password. Instead of their username they see “Anonymous” in the top right corner. All subpages are “Forbidden, You do not have access rights to this request”. The users have manage-account and view-profile roles for the account client.

The issue exists for all users in a particular realm A, existing users and newly created ones. User in the Master realm or realm B can access their user page fine. I compared realm A and B and could not find a difference.

What could cause the user page to be forbidden?

The following answer gave me the crucial hint:

Problem solved. I had an issue with export/import realm configurations between environments and the forbidden access was due to missing scopes com account-console client.

In “Clients” in the “account-console” client I added “roles” to “Assigned Default Client Scopes”.

  • Clients
  • account-console
  • Client Scopes
  • Add “roles” to “Assigned Default Client Scopes”

In “Client Scopes” in the “roles” scope under “Mappers” I added a “client roles” mapper.

  • Client Scopes
  • Roles
  • Mappers
  • client roles
  • Mapper Type: User Client Role
  • Token Claim Name: resource_access.${client_id}.roles

With both of these changes I could access the user’s account page.