search

keycloak / keycloak

Open Source Identity and Access Management For Modern Applications and Services
https://www.keycloak.org
Apache License 2.0
23.42k stars 6.77k forks source link

Cant use Confidential client for Admin REST API #20930

Closed unclefrost closed 1 year ago

unclefrost commented 1 year ago

Before reporting an issue

Area

admin/api

Describe the bug

I want use Admin REST API to create, update and delete users and roles in my realm only, but getting the 403 error response when executing GET on /users endpoint

Version

21.1.1

Expected behavior

HTTP Endpoint Returns 200 response with a json payload in response body

Actual behavior

I am getting a 403 response with "error": "unknown_error"in a body.

How to Reproduce?

I have done the following setup using administration console UI: In my realm test-realm under "Clients" tab added a new client with Client Authentication ON and Service Account Roles checked. I've added all available Service Account Roles, including "realm-management view-users" and "realm-management manage-users".

I was able to get an _accesstoken using ClientID and Client Secret against /realms/{realm}/protocol/openid-connect/token endpoint.

I set my Authorize Header to Bearer _accesstoken and sent a GET /test-realm/users request

Anything else?

My client configuration exported using UI

{
  "clientId": "confidential-client",
  "name": "",
  "description": "",
  "rootUrl": "https://localhost:8443",
  "adminUrl": "https://localhost:8443",
  "baseUrl": "https://localhost:8443",
  "surrogateAuthRequired": false,
  "enabled": true,
  "alwaysDisplayInConsole": false,
  "clientAuthenticatorType": "client-secret",
  "secret": "secret",
  "redirectUris": [
    "https://localhost:8443"
  ],
  "webOrigins": [
    "https://localhost:8443"
  ],
  "notBefore": 0,
  "bearerOnly": false,
  "consentRequired": false,
  "standardFlowEnabled": false,
  "implicitFlowEnabled": false,
  "directAccessGrantsEnabled": false,
  "serviceAccountsEnabled": true,
  "publicClient": false,
  "frontchannelLogout": false,
  "protocol": "openid-connect",
  "attributes": {
   // ...default settings omitted for brevity
  },
  "authenticationFlowBindingOverrides": {
    "browser": "",
    "direct_grant": ""
  },
  "fullScopeAllowed": true,
  "nodeReRegistrationTimeout": -1,
  "protocolMappers": [
    {
      "name": "Client Host",
      "protocol": "openid-connect",
      "protocolMapper": "oidc-usersessionmodel-note-mapper",
      "consentRequired": false,
      "config": {
        "user.session.note": "clientHost",
        "id.token.claim": "true",
        "access.token.claim": "true",
        "claim.name": "clientHost",
        "jsonType.label": "String"
      }
    },
    {
      "name": "Client ID",
      "protocol": "openid-connect",
      "protocolMapper": "oidc-usersessionmodel-note-mapper",
      "consentRequired": false,
      "config": {
        "user.session.note": "clientId",
        "id.token.claim": "true",
        "access.token.claim": "true",
        "claim.name": "clientId",
        "jsonType.label": "String"
      }
    },
    {
      "name": "Client IP Address",
      "protocol": "openid-connect",
      "protocolMapper": "oidc-usersessionmodel-note-mapper",
      "consentRequired": false,
      "config": {
        "user.session.note": "clientAddress",
        "id.token.claim": "true",
        "access.token.claim": "true",
        "claim.name": "clientAddress",
        "jsonType.label": "String"
      }
    }
  ],
  "defaultClientScopes": [
    "web-origins",
    "acr",
    "profile",
    "roles",
    "email"
  ],
  "optionalClientScopes": [
    "address",
    "phone",
    "offline_access",
    "microprofile-jwt"
  ],
  "access": {
    "view": true,
    "configure": true,
    "manage": true
  },
  "authorizationServicesEnabled": false
}
unclefrost commented 1 year ago

The Client Roles mapper was missing from roles scope in my setup