403 Forbidden Error in Keycloak API (view-users)

Question

I'm having issues trying to access auth/admin/realms/{realm-name}/users API. I've already tried everything from other questions and answers, but nothing seems to work. Steps that I did:

1. The user already has a role that has realm-management and view-users on it.

2. I've already assigned this same role to my client in the scopes section.

3. I can't have Service Accounts Enabled in my client because I need to have Access Type as confidential, and that won't allow my user to access Login page from Application.

4. I've also already tried to give 'view-users' role to my user and to my client individually as a Client role, it also didn't work.

My code in C#:

var authState = await AuthenticationProvider.GetAuthenticationStateAsync();
var user = authState.user;
var tokenResult = await TokenProvider.RequestAccessToken();

_accessToken = _tokenResult.Value;

_client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", _accessToken);
var request = new HttpRequestMessage(HttpMethod.Get, $"{url}/auth/admin/realms/{realm name}/users");
request.Headers.Add("Accept", "application/json");

var response = await _client.SendAsync(request);

// Rest of code that gets response and deserializes to array of users.

I honestly don't know what to do. Any help would be very appreciated. Thanks so much!

Answer 1

Since Keycloak's Rest API endpoints changes very often (e.g. BasePath, Signature etc.), I found very useful:

1. login to keycloak's admin panel (UI) and see from developer tools the endpoint for fetching the users (on Users menu item in Manage group parent). In particular, {$HOST}/admin/realms/{$REALM_NAME}/users is the endpoint in version 17.0.1.
2. I also assigned the client role view-users from realm-management to one of my realm users as it is displayed below (UI of version 17.0.1)
3. I was able to fetch the users by just adding user's access token to the request.