[keycloak-user] Access Forbidden

[Aaron Echols]

Ok, so further testing shows:

Assigning `manage-users` Role doesn't work, assigning `manage-realm` role
does allow them to login to the Security Console, applying `manage-users`
role lets them reset passwords. This isn't a good solution though, since
they get access to settings that they shouldn't be able to access.

Seems like the role got broken during the upgrade possibly. Is there a way
to reset or reinstall a role?
--
*Aaron Echols*

On Thu, Apr 4, 2019 at 4:02 PM Aaron Echols <aechols at bfcsaz.com> wrote:

> Hello All,
>
> I was running 4.1.0.Final and decided to upgrade this week to 4.8.3.Final.
> I'm running into an issue where we set a group up with the `manage-users`
> Role Mapping. In 4.1.0.Final, the members of said group were able to login
> and reset passwords for users successfully in the realm they are in.
>
> Now when they attempt to access the Security Admin Console under
> Applications in their profile, they get the following message on the user
> side:
>
> Forbidden
> You don't have access to the requested resource.
>
> All I see in the Events log:
>
> LOGIN
> Client: security-admin-console
> User: <identifier>
> IP Address: <local-ip>
> Details:
> auth_method: openid-connect
> auth_type: code
> response_type: code
> redirect_uri: /auth/admin/realm/console/
> consent: no_consent_required
> code_id: <code-id>
> response_mode: fragment
> username: <username>
>
> CODE_TO_TOKEN
> Client: security-admin-console
> User: <identifier>
> Details:
> token_id: <token-id>
> grant_type: authorization_code
> refresh_token_type: refresh
> scope: openid
> refresh_token_id: <refresh-token-id>
> code_id: <code-id>
> client_auth_method: client-secret
>
> I've verified that they have the proper roles assigned, why isn't this
> working now and anyone have any help to be able to troubleshoot?
>
> Thanks in advance for any help or recommendations. :)
> --
> *Aaron Echols*
>