Admin service account in master realm not able to access other realms

[Fabio Marcolini]

Hi,

We have an application with multitenancy, each tenant segregated in it's realm.

Currently we programmatically create a new realm using the admin user from the master admin-cli client and also we use same user to do some management stuff programmatically for all realms.

We'd like to do the same but with an admin service account instead of the admin user.

What we've done is:

1. create a new service account in master realm

2. in the service account role tabs we add the admin role

3. We then access using the client credentials and try to get another realm representation

What happens is that we get a 401 Unhauthorized.

Note 1:

Using the admin-cli admin user in the same way does work.

Note 2:

We're running keycloak v9.0.3

Can service account access realms different from the one they have been created in?

Is there some configuration we're missing?

[Fabio Marcolini]

Some visuals about the point written:
1: point1.png

2: point2.png 

3: point3.png 

Note 1: admin.png

[Tony Harris]

This may be applicable to 9.0.3 but we did this in 7.

Unless the service account in the client in the master realm is assigned "admin" role it had problems, but assigning that role produced a token so big given the number of realms we had we quickly hit limits on the HTTP header sizes in AWS.  When you create a new realm KC creates a client for that realm in the master realm, those clients have client roles that allow admin access to those realms, you can assign those client level roles to your service account in the master realm to manage those roles.

Tony

--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/04b718ca-0a4f-476f-bdee-37aa12667a1dn%40googlegroups.com.

[Fabio Marcolini]

It doesn't seem it's an issue with the jwt length

We checked the JWT and using admin role, the jwt is pretty big: 7000 chars

So we tried to remove that role and assign just the fb-test-tenant-realm -> view-realm role . The jwt was 1200 chars but we still get the 401

I tried also to remove view-realm role and in that case and I get the expected 403

We created a service account directly in the fb-test-tenant realm gave it realm-management -> view-realm role and for that service account we don't have issues.

It's jwt is 1400 chars, so it seeems it's not an issue with the header length.

So it works for a service account in the same realm but it doesn't work for a service account in master realm