Keycloak java client 403 when retrieving role detail

Question

I'm working with keycloak 8.0.1 and it's java client keycloak-admin-client library.

this is my Keycloak config

public Keycloak keycloakClient(AdapterConfig config) {
    return KeycloakBuilder.builder()
            .clientId(config.getResource())
            .clientSecret((String) config.getCredentials().get(CredentialRepresentation.SECRET))
            .grantType(OAuth2Constants.CLIENT_CREDENTIALS)
            .realm(config.getRealm())
            .serverUrl(config.getAuthServerUrl())
            .build();
}

And with this code I'd like to create user and assign him a role

final UserRepresentation user = createUserRepresentation(data);
final UsersResource userResource = getRealmResource().users();
try (Response response = userResource.create(user)) {
    if (response.getStatusInfo().getFamily().equals(Response.Status.Family.SUCCESSFUL)) {
        final String userId = response.getLocation().getPath().replaceAll(".*/([^/]+)$", "$1");
        final RolesResource rolesResource = getRealmResource().roles();
        final RoleResource roleResource = rolesResource.get(data.getRole().getRemoteName());
        final RoleRepresentation role = roleResource.toRepresentation();
        userResource.get(userId).roles().realmLevel().add(Collections.singletonList(role));
        return userId;
    } else {
        throw new IllegalStateException("Unable to create user " + response.getStatusInfo().getReasonPhrase());
    }
}

however it fails on line final RoleRepresentation role = roleResource.toRepresentation(); with message javax.ws.rs.ForbiddenException: HTTP 403 Forbidden.

I don't understand why am I getting this error, because my client has assigned all roles from realm-management client

create-client
impersonation
manage-authorization
manage-clients
manage-events
manage-identity-providers
manage-realm
manage-users
query-clients
query-groups
query-realms
query-users
realm-admin
view-authorization
view-clients
view-events
view-identity-providers
view-realm
view-users

Is there some config which am I missing or is it a bug?

Thanks

Answer 1

I just have the same problem here, while I'm trying to assign roles to an existing user using a service client (using client credentials).

The solution: Go to Clients > Select "your" client > Go to "Service Account Roles" Tab > Select Client Roles : "realm-management" and add "view-realm" into the assigned roles.

That's it :)