[keycloak-user] How to configure my client for use ADMIN REST API [DELETE]: https://keycloaksrv.fr/auth/admin/realms/myclient/users/'

Gary Kennedy gary at apnic.net
Wed May 8 20:11:27 EDT 2019 

Addendum:

The "resource_access" token claim can be set with the builtin "client roles" mapper by assigning the needed roles to the service or user accounts AND having in the issuing client registration's scope mappings EITHER "Full Scope Allowed" turned on OR the assigned roles matching the needed roles.

> On 7 May 2019, at 2:02 pm, Gary Kennedy <gary at apnic.net> wrote:
> 
> I'm pretty sure this is similar to the problem I'm having, and I'm also pretty sure that you need to either:
> 
> - add the assigned roles needed for the admin API call (eg, as Sebastien wrote) to the service or user account;
>  AND ensure the token is issued for the admin clients (either "admin-cli" or "security-admin-console" by default)
>  (ie, the "azp" claim is either "admin-cli" or "security-admin-console")
> 
> OR
> 
> - if the token is NOT issued for the admin clients, the token needs a "resource_access" claim which is a map containing the "realm-management" key with a map value having a "roles" key which is an array of role name strings. eg:
>    "resource_access": {
>        "realm-management": {
>            "roles": [ "manage-users" ]
>        }
>    }
> 
> Cheers,
> Gary
> 
>> On 7 May 2019, at 2:54 am, Sebastien Blanc <sblanc at redhat.com> wrote:
>> 
>> Give your user the "manage-users" role , you can do that from the role
>> Mappings tab in the user screen and select in "client roles" =>
>> "realm-management" and there you should see the role "manage-users" and
>> assign it.
>> 
>> 
>> 
>> On Mon, May 6, 2019 at 5:45 PM Christophe Lehingue <clehingue at gmail.com>
>> wrote:
>> 
>>> Hello, how to configure a client so that the user can use the user removal
>>> API?
>>> 
>>> [DELETE]:
>>> https://keycloaksrv.fr/auth/admin/realms/myclient/users/fdskgjdkdjkgjf-sdssdsqdqsdqsdsq
>>> 
>>> Whenever I try to call this request REST => I get the following error
>>> message: "resulted in a 401/403 Unauthorized`"
>>> 
>>> Can you help me ?
>>> 
>>> Thank you
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> 
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3492 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190509/ffab4645/attachment-0001.bin

More information about the keycloak-user mailing list