None of the answers here completely solved my problem but they set me in
the right direction.
I originally posted this comment here:
check it out for a more
complete answer (with imgs)
This is what you need to do (I have it working on keycloak v7.0.0):
- Add a new **confidential** client to the realm *master*
- For that client, enable the option `Service Accounts Enabled`
- Add a new "Hardcoded claim" to that client
- Name: Whatever name you want
- Token Claim Name: **azp**
- Claim value: **admin-cli**
- Finally go to the "Service Account Roles" tab and assign the role
'admin' (or the one you want) to the client service client.
On 09/05/2019 02:11, Gary Kennedy wrote:
Addendum:
The "resource_access" token claim can be set with the builtin "client
roles" mapper by assigning the needed roles to the service or user accounts AND
having in the issuing client registration's scope mappings EITHER "Full Scope
Allowed" turned on OR the assigned roles matching the needed roles.
> On 7 May 2019, at 2:02 pm, Gary Kennedy <gary(a)apnic.net> wrote:
>
> I'm pretty sure this is similar to the problem I'm having, and I'm also
pretty sure that you need to either:
>
> - add the assigned roles needed for the admin API call (eg, as Sebastien wrote) to
the service or user account;
> AND ensure the token is issued for the admin clients (either "admin-cli"
or "security-admin-console" by default)
> (ie, the "azp" claim is either "admin-cli" or
"security-admin-console")
>
> OR
>
> - if the token is NOT issued for the admin clients, the token needs a
"resource_access" claim which is a map containing the
"realm-management" key with a map value having a "roles" key which is
an array of role name strings. eg:
> "resource_access": {
> "realm-management": {
> "roles": [ "manage-users" ]
> }
> }
>
> Cheers,
> Gary
>
>> On 7 May 2019, at 2:54 am, Sebastien Blanc <sblanc(a)redhat.com> wrote:
>>
>> Give your user the "manage-users" role , you can do that from the role
>> Mappings tab in the user screen and select in "client roles" =>
>> "realm-management" and there you should see the role
"manage-users" and
>> assign it.
>>
>>
>>
>> On Mon, May 6, 2019 at 5:45 PM Christophe Lehingue <clehingue(a)gmail.com>
>> wrote:
>>
>>> Hello, how to configure a client so that the user can use the user removal
>>> API?
>>>
>>> [DELETE]:
>>>
https://keycloaksrv.fr/auth/admin/realms/myclient/users/fdskgjdkdjkgjf-sd...
>>>
>>> Whenever I try to call this request REST => I get the following error
>>> message: "resulted in a 401/403 Unauthorized`"
>>>
>>> Can you help me ?
>>>
>>> Thank you
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-user