[keycloak-user] How to configure my client for use ADMIN REST API [DELETE]: https://keycloaksrv.fr/auth/admin/realms/myclient/users/'

Daniel Fernández Rodríguez daniel.fernandez at cern.ch
Wed Nov 13 12:41:57 EST 2019 

None of the answers here completely solved my problem but they set me in 
the right direction.
I originally posted this comment here: 
https://stackoverflow.com/a/58842476/333348 check it out for a more 
complete answer (with imgs)

This is what you need to do (I have it working on keycloak v7.0.0):

- Add a new **confidential** client to the realm *master*
- For that client, enable the option `Service Accounts Enabled`
- Add a new "Hardcoded claim" to that client
  - Name: Whatever name you want
  - Token Claim Name: **azp**
  - Claim value: **admin-cli**

- Finally go to the "Service Account Roles" tab and assign the role 
'admin' (or the one you want) to the client service client.

On 09/05/2019 02:11, Gary Kennedy wrote:

> Addendum:
>
> The "resource_access" token claim can be set with the builtin "client roles" mapper by assigning the needed roles to the service or user accounts AND having in the issuing client registration's scope mappings EITHER "Full Scope Allowed" turned on OR the assigned roles matching the needed roles.
>
>> On 7 May 2019, at 2:02 pm, Gary Kennedy <gary at apnic.net> wrote:
>>
>> I'm pretty sure this is similar to the problem I'm having, and I'm also pretty sure that you need to either:
>>
>> - add the assigned roles needed for the admin API call (eg, as Sebastien wrote) to the service or user account;
>>   AND ensure the token is issued for the admin clients (either "admin-cli" or "security-admin-console" by default)
>>   (ie, the "azp" claim is either "admin-cli" or "security-admin-console")
>>
>> OR
>>
>> - if the token is NOT issued for the admin clients, the token needs a "resource_access" claim which is a map containing the "realm-management" key with a map value having a "roles" key which is an array of role name strings. eg:
>>     "resource_access": {
>>         "realm-management": {
>>             "roles": [ "manage-users" ]
>>         }
>>     }
>>
>> Cheers,
>> Gary
>>
>>> On 7 May 2019, at 2:54 am, Sebastien Blanc <sblanc at redhat.com> wrote:
>>>
>>> Give your user the "manage-users" role , you can do that from the role
>>> Mappings tab in the user screen and select in "client roles" =>
>>> "realm-management" and there you should see the role "manage-users" and
>>> assign it.
>>>
>>>
>>>
>>> On Mon, May 6, 2019 at 5:45 PM Christophe Lehingue <clehingue at gmail.com>
>>> wrote:
>>>
>>>> Hello, how to configure a client so that the user can use the user removal
>>>> API?
>>>>
>>>> [DELETE]:
>>>> https://keycloaksrv.fr/auth/admin/realms/myclient/users/fdskgjdkdjkgjf-sdssdsqdqsdqsdsq
>>>>
>>>> Whenever I try to call this request REST => I get the following error
>>>> message: "resulted in a 401/403 Unauthorized`"
>>>>
>>>> Can you help me ?
>>>>
>>>> Thank you
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list