I need to authorize my application (named "Logic" from now on) to manage users of a Keycloak realm. "Logic" already authenticates itself against that realm with a client credentials grant access type, so the code is already working.
Now, in the Keycloak administration console, I need to add the correct role to my client so that "Logic" is authorized to call whatever API endpoint Keycloak provides to manage the realm users.
In the realm clients list there is a client named realm-management
, which Keycloak provides by default for each realm. This client can manage the whole realm, not just its users, and it has a list of client roles for that reason. manage-users
is one of the roles in that list and it is the role I need to assign to my other client (that I named logic
in Keycloak). In other words, my "Logic" application uses the keycloak client-id logic
to authenticate itself and I need to add the manage-users
role to the logic
client.
The problem is that in my client (logic
) roles settings, those same roles, listed under realm-management
client, are not listed at all, and the list only has uma_protection
role:
If I searched for "manage-users" by typing it in the search box, it wouldn't show up. Meanwhile, if I click that role in the roles list of the realm-management
client, it shows that no users have that role and it lets me add the role to users, but not to clients, even if that role is actually listed in a client (realm-management
).
Creating a new role in my logic
client, by the same name of manage-users
, is possible, but I'm not sure that's the way to go. I mean, why should I duplicate an existing role? It smells of wrong.
Can you please tell me the correct way to add the manage-users
role to a client in Keycloak 23?
I finally got an answer from a member of the official Keycloak support community, and I report that here just in case others were to find my question here.
dasniko wrote:
The roles can be found by selecting the filter for "Filter by clients" instead of "Filter by realm roles"