The following answer gave me the crucial hint:
Problem solved. I had an issue with export/import realm configurations between environments and the forbidden access was due to missing scopes com account-console client.
In “Clients” in the “account-console” client I added “roles” to “Assigned Default Client Scopes”.
- Clients
- account-console
- Client Scopes
- Add “roles” to “Assigned Default Client Scopes”
In “Client Scopes” in the “roles” scope under “Mappers” I added a “client roles” mapper.
- Client Scopes
- Roles
- Mappers
- client roles
- Mapper Type: User Client Role
- Token Claim Name: resource_access.${client_id}.roles
With both of these changes I could access the user’s account page.